[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Whta is the best practice network design?

Posted on 2008-11-17
Medium Priority
Last Modified: 2013-11-16
I would like to know what's the best practice of network design. I found 3 design as shown in the attachment.

First one - Use only way firewall with 3 interface (3 subnets)

Second one - Use 2 firewalls. For the aspect of security, I think this is same as the first one. If I can add one more interface on the front firewall, I can simply remove the second firewall.

Third one - Use 2 firewall. But there is nothing in DMZ. The second firewall has 3 interfaces. DMZ is there.

Question 1:
I think first and second design are the same, what do you think?
Question 2:
Do you think third one is more secure than others? or it's too much?
Question 3:
Those designs here use ISA firewall. If I replace all ISA firewalls by Cisco routers, it should make no difference? I have Cisco 2514 and 2501 router, what kind of design I can do?

Question by:wuitsung
  • 4
  • 3
  • 2
  • +1
LVL 28

Expert Comment

ID: 22982069
Don't think that the attachment got included in the post.

But let me comment in general on networks. First and foremost, your design should be determined what you need to accomplish and by what you can afford and by what kind of data you are trying to protect and what level of outside access do you want to allow.  

The key to securing any kind of network is a layered approach.  No one device is so good as to give you the level of protection that you probably need.

For example, I have two Cisco firewalls running in failover mode with no DMZ; so in effect I only have one active firewall running at any given time. I have a IDS/IPS device behind that as well as a web filtering device. Our decision on this equipment was based on the above listed criteria.

ISA properly configured, can do a good job for you, but you have to harden it properly as well.  For some good ISA hardening tips check out www.isaserver.org  The site has some great info on properly configuring your ISA server.  We have abandoned ISA as a firewall and use it primarily for URL redirects coming in from the outside because the Cisco firewall, as good as it is, can't do that.  But I feel that moving to the Cisco gave us more flexibility in creating the kind of firewall that we really needed.

You may get some good advice from EE, but if this is your first foray into setting up this kind of network, I would suggest partnering with someone who's done it before and can give you really good advice based on your specific needs.

Author Comment

ID: 22982081
Sorry. I forgot...
LVL 28

Assisted Solution

jhyiesla earned 100 total points
ID: 22983913
Numbers 2 and 3 might be a little more secure simply because of the extra layer of firewall protection, but I go back to something that I said in my original post, the configuration and the extra effort to harden a firewall, especially with something like ISA is key to making anything work.  Then a second question becomes... do you need a DMZ?  If so, 2 and 3 might be a better choice, but if it's done right, number one can work as well.  And I would still invest in some IDS/IPS system to work along side your firewall.

As I said in my first post, if you are doing this for the first time or this is a major change for you, partner with someone you trust to help you design the best solution for your particular needs.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Accepted Solution

oztrodamus earned 500 total points
ID: 22983936
Whether you choose Cisco ASA, SnapGear or a second ISA server should largely be determined based on your requirements and your budget.

Personally I use a SnapGear as my perimeter device, and an ISA Sever as my back-end firewall. I use a SnapGear, because I have a need for a moderately cheap multi-interface WAN firewall / router, and I use and ISA Server to support my external Outlook clients. To the best of my knowledge ISA server is the only firewall that supports RPC over HTTPS. Also, because it's a back-end firewall I made it a member of the domain so I get all the wonderful aspects of AD integration. Going back to the perimeter device there really isn't any functional reason why you can't use an ISA Server. It's just very expensive and harder to setup because Windows is very insecure.

Keep in mind to the simplier the design the better. Ther is no point in creating an overly complicated network for the hell of it. It just makes it harder to troubleshoot.

Author Comment

ID: 22997628
Can anyone answer directly to my questions above?
LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 600 total points
ID: 23012089

No. first design and second design are totally different.
on first design, you are relying on 1 server. If that server crap, your network is gone.
on second design, it is more like a SBS kind of design. it product the internal network more. If some one want to hack it. it require to go for 2 layer instead of one.

second design and 3rd design are alike.
they both have front end and backend firewall.

i don see much difference in both of them.  (except one using front end ISa firewall, one using cisco

depends on budget, i will prefer to use first design, as it is much easier to control. If you got full redudancy on that, it should be fine. Unless you have a business requirement to have 2 seperate router for other security purpose or other business reason.


I am not a cisco guru. but if for a router, it cannot do application level forward like back-end ISA firewall. ISA have web publishing capability and etc that cisco cannot replace. But i think it is just overkill. You can get around it by using multiple IP address.


Author Comment

ID: 23014171
Thank you limjianan. Can you please explain in more detail in application level forward ? Do you mean if I use CISCO router in the front end and I have web server in DMZ, then I cannot publish the web server if I only have one public ip?
I am not sure what you mean, but I think there should be Port Forwarding option there, so I can open a port on the web server. It's like the option we have in linksys router.


Assisted Solution

oztrodamus earned 500 total points
ID: 23017385
Hi Wiutsung,

An application layer firewall is a deep inspection firewall that is capable of understanding layer 7 protocols and forward packets based on it's understanding of them. Most firewalls work at layer 3.
LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 600 total points
ID: 23017808
let say..

the above link is the ISA server functions...

for a normal Cisco, it won't able to do everything.

For example, you have a public IP address xx.xx.xx.xx
and you got a web server x.x.x.15, a mail server x.x.x.16, a sharepoint server x.x.x17, and etc

a Cisco wont able to redirect the traffic according to application

However, Isa server able to understand what you trying to do. when you type www.xx.com will redirect the traffic to .15, webmail.xx.com will reidirect to .16, and sharepoint.xx.com will redirect to .17

But in reality for business. We just buy more public IP address and allocate them to the server.
It is much easier to setup.


Author Comment

ID: 23018054
web server x.x.x.15, a mail server x.x.x.16, a sharepoint server x.x.x17..

Are you talkign about internal IP? So you are saying CISCO router doesn't have the feature (port-forwarding) like we have in retail linksys router?
LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 600 total points
ID: 23018290
Cisco router and others has the feature of PORT forwarding

i am not saying about PORT forwarding
i am saying about application fording

let say you want to have www.xxx.com mail.xxx.com sharepoint.xxx.com
all of them you have to point to 1 IP address

you have to put www.xx.com:80  mail.xxx.com:81 sharepoint.xxx.com:82

but in ISA
you can keep www.xx.com mail.xx.com sharepoint.xxx.com   and the ISA will know you type www.xx.com is point to .15, sharepoint is .17 and mail is .16 ... and this give you extra layer of security on your mail, sharepoint and www server.

Cisco do not have such functions..

but as i said, in business, we usually just put multiply public address to counter this issue.

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question