Whta is the best practice network design?

I would like to know what's the best practice of network design. I found 3 design as shown in the attachment.

First one - Use only way firewall with 3 interface (3 subnets)

Second one - Use 2 firewalls. For the aspect of security, I think this is same as the first one. If I can add one more interface on the front firewall, I can simply remove the second firewall.

Third one - Use 2 firewall. But there is nothing in DMZ. The second firewall has 3 interfaces. DMZ is there.

Question 1:
I think first and second design are the same, what do you think?
Question 2:
Do you think third one is more secure than others? or it's too much?
Question 3:
Those designs here use ISA firewall. If I replace all ISA firewalls by Cisco routers, it should make no difference? I have Cisco 2514 and 2501 router, what kind of design I can do?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don't think that the attachment got included in the post.

But let me comment in general on networks. First and foremost, your design should be determined what you need to accomplish and by what you can afford and by what kind of data you are trying to protect and what level of outside access do you want to allow.  

The key to securing any kind of network is a layered approach.  No one device is so good as to give you the level of protection that you probably need.

For example, I have two Cisco firewalls running in failover mode with no DMZ; so in effect I only have one active firewall running at any given time. I have a IDS/IPS device behind that as well as a web filtering device. Our decision on this equipment was based on the above listed criteria.

ISA properly configured, can do a good job for you, but you have to harden it properly as well.  For some good ISA hardening tips check out www.isaserver.org  The site has some great info on properly configuring your ISA server.  We have abandoned ISA as a firewall and use it primarily for URL redirects coming in from the outside because the Cisco firewall, as good as it is, can't do that.  But I feel that moving to the Cisco gave us more flexibility in creating the kind of firewall that we really needed.

You may get some good advice from EE, but if this is your first foray into setting up this kind of network, I would suggest partnering with someone who's done it before and can give you really good advice based on your specific needs.
wuitsungAuthor Commented:
Sorry. I forgot...
Numbers 2 and 3 might be a little more secure simply because of the extra layer of firewall protection, but I go back to something that I said in my original post, the configuration and the extra effort to harden a firewall, especially with something like ISA is key to making anything work.  Then a second question becomes... do you need a DMZ?  If so, 2 and 3 might be a better choice, but if it's done right, number one can work as well.  And I would still invest in some IDS/IPS system to work along side your firewall.

As I said in my first post, if you are doing this for the first time or this is a major change for you, partner with someone you trust to help you design the best solution for your particular needs.
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Whether you choose Cisco ASA, SnapGear or a second ISA server should largely be determined based on your requirements and your budget.

Personally I use a SnapGear as my perimeter device, and an ISA Sever as my back-end firewall. I use a SnapGear, because I have a need for a moderately cheap multi-interface WAN firewall / router, and I use and ISA Server to support my external Outlook clients. To the best of my knowledge ISA server is the only firewall that supports RPC over HTTPS. Also, because it's a back-end firewall I made it a member of the domain so I get all the wonderful aspects of AD integration. Going back to the perimeter device there really isn't any functional reason why you can't use an ISA Server. It's just very expensive and harder to setup because Windows is very insecure.

Keep in mind to the simplier the design the better. Ther is no point in creating an overly complicated network for the hell of it. It just makes it harder to troubleshoot.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
wuitsungAuthor Commented:
Can anyone answer directly to my questions above?
Jian An LimSolutions ArchitectCommented:

No. first design and second design are totally different.
on first design, you are relying on 1 server. If that server crap, your network is gone.
on second design, it is more like a SBS kind of design. it product the internal network more. If some one want to hack it. it require to go for 2 layer instead of one.

second design and 3rd design are alike.
they both have front end and backend firewall.

i don see much difference in both of them.  (except one using front end ISa firewall, one using cisco

depends on budget, i will prefer to use first design, as it is much easier to control. If you got full redudancy on that, it should be fine. Unless you have a business requirement to have 2 seperate router for other security purpose or other business reason.


I am not a cisco guru. but if for a router, it cannot do application level forward like back-end ISA firewall. ISA have web publishing capability and etc that cisco cannot replace. But i think it is just overkill. You can get around it by using multiple IP address.

wuitsungAuthor Commented:
Thank you limjianan. Can you please explain in more detail in application level forward ? Do you mean if I use CISCO router in the front end and I have web server in DMZ, then I cannot publish the web server if I only have one public ip?
I am not sure what you mean, but I think there should be Port Forwarding option there, so I can open a port on the web server. It's like the option we have in linksys router.

Hi Wiutsung,

An application layer firewall is a deep inspection firewall that is capable of understanding layer 7 protocols and forward packets based on it's understanding of them. Most firewalls work at layer 3.
Jian An LimSolutions ArchitectCommented:
let say..

the above link is the ISA server functions...

for a normal Cisco, it won't able to do everything.

For example, you have a public IP address xx.xx.xx.xx
and you got a web server x.x.x.15, a mail server x.x.x.16, a sharepoint server x.x.x17, and etc

a Cisco wont able to redirect the traffic according to application

However, Isa server able to understand what you trying to do. when you type www.xx.com will redirect the traffic to .15, webmail.xx.com will reidirect to .16, and sharepoint.xx.com will redirect to .17

But in reality for business. We just buy more public IP address and allocate them to the server.
It is much easier to setup.

wuitsungAuthor Commented:
web server x.x.x.15, a mail server x.x.x.16, a sharepoint server x.x.x17..

Are you talkign about internal IP? So you are saying CISCO router doesn't have the feature (port-forwarding) like we have in retail linksys router?
Jian An LimSolutions ArchitectCommented:
Cisco router and others has the feature of PORT forwarding

i am not saying about PORT forwarding
i am saying about application fording

let say you want to have www.xxx.com mail.xxx.com sharepoint.xxx.com
all of them you have to point to 1 IP address

you have to put www.xx.com:80  mail.xxx.com:81 sharepoint.xxx.com:82

but in ISA
you can keep www.xx.com mail.xx.com sharepoint.xxx.com   and the ISA will know you type www.xx.com is point to .15, sharepoint is .17 and mail is .16 ... and this give you extra layer of security on your mail, sharepoint and www server.

Cisco do not have such functions..

but as i said, in business, we usually just put multiply public address to counter this issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.