Solved

Network Design help

Posted on 2010-11-18
10
292 Views
Last Modified: 2012-05-10
Hello there,

i want to redesign my network for security reasons. the company has some static IPs. we have 1web server,2 application server (AS). the AS is used by te staff to do their everyday tasks. we also have branch offices around the country and these branch users connect remotely via RDP to the AS and do their work. these servers are directly connect to the a D-Link switch on which the ISP internet is connected.then we have another D-Link switch which again the servers are connected to. I mean these servers have two NICs,one of these NIC is WAN and another as LAN. the LAN is for the local users and the WAN for the remote users.
Now I want to put a UTM between the ISP internet and the local network. the UTM i have selected is Zentyal(EBox). i have setup a machine for Zentyal. now my question is do i still need to have 2 D-Link switches on the local network or 1 D-Link will do. i mean how wil the remote users connect now since the UTM has been placed between the internet and local network.please help me as i am not an expert in networking.appreciate your help

cheers
Zolf
0
Comment
Question by:zolf
  • 4
  • 4
  • 2
10 Comments
 
LVL 32

Expert Comment

by:aleghart
ID: 34170715
One switch will work, connected to the LAN side of your firewall.  Your application servers will sit on the LAN only.  Your firewall will have NAT rules to connect your outside users through the firewall and to the servers.

Each WAN IP address will be translated to the LAN IP address of the server.

Since your LAN users are already connecting to the servers with a LAN connection, there should be no change for them.  Your remote users won't know there's a difference either.
0
 
LVL 2

Expert Comment

by:SacTechGroup
ID: 34170719
To be protected, all your servers need to be behind the Firewall/UTM.  This means no dual NICs.  You will forward the ports for the services you need (RDP) from the WAN to the LAN using rules or policies on the UTM.  The number of switches is irrelevant really.  The swithes can both be on both the wan and lan networks at the same time.  A basic setup would look like ISP > router > UTM > switches > servers/workstations/printers.  You will now be able to controll all WAN/LAN access from the UTM.  

-dont worry about the switches, just use the number you need to provide enough ports.
-DO worry about what ports are open to the world
0
 

Author Comment

by:zolf
ID: 34170828
so i will unplug the WAN NIC. on the firewall i will have NAT for e.g. saying users using RDP 89.122.123.133 should be forwarded to to the servers LAN ip 192.168.0.1.

also the devices will be like this:

ISP > UTM > Switch > Server,Patch Panel,Wireless AP.
0
 
LVL 32

Expert Comment

by:aleghart
ID: 34170845
ISP
"modem" or other handoff device
firewall
switch
LAN nodes (servers, desktops, printers, WAP)

A patch panel is infrastructure hardware, so it would not appear in a network diagram.  Similarly, you wouldn't list patch cables, wire in wall, jacks, etc.

I think you've got it down pat.
0
 
LVL 2

Assisted Solution

by:SacTechGroup
SacTechGroup earned 200 total points
ID: 34170870
zolf.  when you say 'unplug the WAN NIC' .. well it depends.  If you are talking about your new UTM, then not necessarily.  Your UTM (like most) will have the WAN NIC connected to the ISP router while its LAN NIC will be connected to a LAN swith.  the UTM then bridges the LAN and WAN networks.

Your public static IP's will then answer on the UTM's WAN port and forward desired services to the specified servers/IPs on the LAN.  this forwarding happens by means of NAT rules and firewall policies.

That is a generalized overview.  there are many little steps in configuring the UTM that you will need to refer to its manual to figure out.  Typical setups include defining address book entries for hosts (yoru servers) and also specifying services (RDP uses port 3389).  Since you have multiple RDP servers you will need to use multiple public IP's (one each) or change the port on the secondary servers and make rules that match etc.  

Lots to be done
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:zolf
ID: 34170951

aleghart:
>>A patch panel is infrastructure hardware
appreciate your comments.you see all the computers(45) in our network is connected to the patch panel.from what i understand 1 port of the patch panel will be connected to 1 port of the swtich,so that these computers will have access to each other and the internet.correct??please clear my doubt

SacTechGroup:
thanks for that feedbacks. at present i have 4 NICs but only 2 are in use.one for the LAN and the other for WAN. Now from what i have understood is that i will have to enable another NIC on the UTM machine to allow RDP on the other AS.
this part i did no tunderstand
>>) or change the port on the secondary servers and make rules that match etc.  
0
 

Author Comment

by:zolf
ID: 34170962

SacTechGroup:

i meant the WAN NIC of the AS which are at present connected directly to the internet. if i setup the UTM then the WAN NIC which I have on these AS will not be needed on the LAN NIC will be used.correct??
0
 
LVL 32

Accepted Solution

by:
aleghart earned 300 total points
ID: 34170969
The switch is what connects all of the computers into a LAN.  The patch panel is no different than a plug on the wall.  It just happens to terminate all of the remote jacks in your server closet.

The important concept is that _all_ network equipment must be patched into the switch(es).  In your case, a single 48-port switch would work fine.  If yours aren't that big, then you'll have to link them together.

"Dumb" switches (no routing) connect to each other with a single patch cable.  Newer switches don't require anything special...a straigh-through patch cable in any port will work.  The switch will automatically turn the port into an uplink.  Older switches will have one or more designated ports with a manual uplink (MD/MDIX) switch or button.

The second NICs in your application servers should no longer be required for WAN connections.  Use only the LAN NIC to the switch.

The firewall's WAN port plugs into your ISP's equipment.  The firewall LAN port plugs into your LAN switch.  You only need one WAN port and one LAN port on the firewall.
0
 

Author Comment

by:zolf
ID: 34194379

On the AS NIC, do i have to also assign a Default Gateway or not needed
0
 
LVL 32

Expert Comment

by:aleghart
ID: 34199236
Default gateway should be the LAN gateway IP address.  You could leave it blank, and let it "guess".  It might work...but really better to put the gateway in explicitly.  Some installations have two possible gateways: the internet router, and the network router.  Either will work, but using the internet router as a gateway may bypass some rules in place on the network router.  (That only applies if you have Layer3 switches for your network switches.)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Email Domain Transfer 2 35
Device same like our heart 12 48
Extending  a subnet 9 39
Cisco ASA5508-X vs Barracuda X200 2 32
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now