Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

A good plan for a secure network setup

Posted on 2011-03-02
7
Medium Priority
?
554 Views
Last Modified: 2012-06-21
I have a hotel, with  Positouch System for the restaurant area which takes credit cards on about 6 terminals.
Plus a hotel network of computers which tie into a web-based reservation system. the web-based system allows for on-line bookings and payments. We have the server on premise, it ties into another server for local access to the database. The Possi system uses one Credit Card Processor, connecting by Internet ( with a fail-over dial-up). The hotel reservation system uses another provider - which is handled via the web.

I also maintain a wireless system for the guests.

I think I need a Netgear Router in bridge mode to connect to the Internet and link us via a switch for the hotel network (on a different sub net).
another NetGear router to connect the Possi system to - which in turn connects to the bridge.

I need to be able to access the Possi system from at least two or three hotel computers...I think I can do that with router settings.

I think I want a VPN to access an internal computer from florida and 30 miles away.

I need to have LofMeIn on the accountant's PC so he can log in for accounting.

I need the web server connected via a separate router - then to the bridge.

I need the wireless on its own sub net and connected to the hotel lan for interent service using its own DSL line (shared by one other computer).

does this sound right?
0
Comment
Question by:ri95
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 9

Accepted Solution

by:
rawinnlnx9 earned 2000 total points
ID: 35024006
You need just one router for this and one managed switch. The router will govern all of your WAN->WAN, WAN->LAN, LAN->WIRELESS, etc... rules and permissions by creating Network Objects which are groups of IP addresses or MAC addresses and applying permissions to them. You will need a switch for each subnet that comes out of the managed switch. LogMeIn will work without any trouble as it uses port 80 and 256-bit encryption so no other security is needed for that. If you want super secure you make all the computers connect via VPN into your protected server and you isolate it (on the managed switch). The wireless can be handled by a good router as well. I highly recommend you go here: http://www.sonicguard.com/TZ210Wireless.asp and check out the appliance I link to. It's spendy but it is extremely secure and very good at what it does.
0
 

Author Comment

by:ri95
ID: 35024057
Thanks - I have tried working with Sonicwall and found it difficult...don't you think NetGear has good units?
0
 
LVL 8

Expert Comment

by:nwtechdesk
ID: 35024114
I've seen too many netgear routers and switches fail.  Start with quality switches like HP Procurve and consider the Sonicwall as a good choice but a lower end choice.  The sonicwall is easy to work with if you use their built-in wizards.  Fortinet would be a better solution but it may not be in the budget.
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 
LVL 33

Expert Comment

by:digitap
ID: 35024340
i'm not sure i would rank the sonicwall on the lower end choice. in the end, it's how it's configured that makes the difference. but, you should get what you believe will be reliable and will be easy to work with. i would actually consider netgear to be a lower end choice, but that's me. HP makes good switches. i have a radiology group with two NSA 3200 in HA mode. i have about 15 site to site vpns connecting to a plethora of routers, ciso, juniper...even a linksys. we don't have any issues with the hardware. we've deployed an ssl-vpn appliance used to implement user VPN connections.

my comments to your question specifically:

I have a hotel, with  Positouch System for the restaurant area which takes credit cards on about 6 terminals.
Plus a hotel network of computers which tie into a web-based reservation system. the web-based system allows for on-line bookings and payments. We have the server on premise, it ties into another server for local access to the database. The Possi system uses one Credit Card Processor, connecting by Internet ( with a fail-over dial-up). The hotel reservation system uses another provider - which is handled via the web.

**since you have your internet web server tying into a internal database, i'd put the web server on a DMZ and open the appropriate ports back to the database. it's best practice anyway.

I also maintain a wireless system for the guests.

**sonicwall does wireless guest services well. although, i've never been impress with the guest authentication methods. of course, i've not implemented it with their NSA models...only the Pro Series models.

I think I need a Netgear Router in bridge mode to connect to the Internet and link us via a switch for the hotel network (on a different sub net).
another NetGear router to connect the Possi system to - which in turn connects to the bridge.

**Why? What type of security are you wanting to implement here? i can see different subnets, but don't understand the bridge mode configuration. the sonicwall has different interfaces that allow you to create different subnets and create firewall rules to filter traffic.  is this the direction you were thinking? with a decent L3 router, you could implement VLANs and access control lists to do the same thing if you didn't want the sonicwall.

I need to be able to access the Possi system from at least two or three hotel computers...I think I can do that with router settings.

**How are the hotels connected..MPLS, site to site VPN, what?

I think I want a VPN to access an internal computer from florida and 30 miles away.

**I'd implement the VPN at the firewall...sonicwall, juniper, watchguard, cisco...

I need to have LofMeIn on the accountant's PC so he can log in for accounting.

**If you have a firewall that supports VPN, then you can use a secure VPN connection with RDP.

I need the web server connected via a separate router - then to the bridge.

**Why? I'm going to reference here my comment above regarding the DMZ.

I need the wireless on its own sub net and connected to the hotel lan for interent service using its own DSL line (shared by one other computer).

**Why?
0
 

Author Comment

by:ri95
ID: 35026461
thanks for your answer -

I want to be secure going in and out.
I want the Posi on a separate network.
I want the guests to have no possibility of reaching my internal network.
There are no other hotels, just management coming in.
On the web server - it connects to the hotel server database to verify availability and it is the hotel database which processes the credit cards for the reservation system.
0
 

Author Closing Comment

by:ri95
ID: 35032717
Quick answer also.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35033607
curious. i guess i thought you wanted a discussion. i see you wanted something simpler. wished i hadn't spent so much time going through your question and responding. you might consider in the future putting that up front in your question so other experts don't waste their time on your question.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question