?
Solved

Network design question and router recommendations

Posted on 2011-09-22
12
Medium Priority
?
339 Views
Last Modified: 2012-08-13
I've been assigned a project where I need to use our current LAN and create 2 additional subnets - see diagram. I have all the hardware except the 'firewalls'. I was assuming I was going to use router, but am open to suggestions.
(The router/firewalls would simply allow access from Network 1 into network 2 & 3 from specifc IPs, (ACLs, I guess) i.e. - 192.168.0.10 can route to 192.168.250.0 & 192.168.0.240, etc.. but that's it.)

I am looking for 2 things....
1. Suggestions/recommnedations on network design.

2. Devices to use as router or firewalls - assuming I don't need to spend $1500+ per router.

Any advise would be appreciated!

E.D. Network design
0
Comment
Question by:edalzell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
12 Comments
 

Author Comment

by:edalzell
ID: 36583127
FYI... local vendor just recommended HP A-MSR20 Series to use as the 'firewall'.... about $800 CND each. :-)
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36583167
What amount of bandwidth do you expect to transport over the links? What features do you require the firewalls to have? Simple packet-level ACL, stateful, content scanning, IDS/IDP?
0
 
LVL 13

Expert Comment

by:khairil
ID: 36583523
Hi,

You can use your router or 3 layer switch to control ACLs. However it is daunting task to do. Especially when you got a lot of policies.

You might want to plan for the feature too, the traffic control will be on both side, external to internal and vice versa. It is better for you to have dedicated router and firewall device separately for easy maintenance and management.

The price of firewall depend on what you feature you like to have and capacity of the device in terms of throughput and bandwith. Here are some of vendor of devices that you choose from HP TippingPoint (http://tippingpoint.com), Palo Alto (http://www.paloaltonetworks.com), Fortinet (http://www.fortinet.com), Netscreen (http://www.juniper.net).

It is expensive device, but they do have one for small business with cheaper price, even a few of them offer for home usage. The no so good side is, you have to maintain it every year with some percent of sales value.

Other way to go, is having Linux box as firewall and IPS/IDS. There a lot Linux distro being delivered as IPS/IDS like Devil Linux (http://www.devil-linux.org). But base on our experience, you will find hard time tuning and manage it and patch it and compile it.. fuuhhh.
0
Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

 

Author Comment

by:edalzell
ID: 36583572
Garry-G,

What amount of bandwidth do you expect to transport over the links? Hard to say... maybe 200-300 concurrent connections. 10-20Mb at the most? (just guessing)

What features do you require the firewalls to have? just simple packet-level ACL.

Thanks! :-)
0
 

Author Comment

by:edalzell
ID: 36583633
Khairil,

 What's better to use 'firewall' or a router? Any thoughts on the HP A-MSR20?
I assume if it'll do layer 3, it'll work.....

I'd like something simple to manage, reliable, fit nicely into my rack.... and of course... not $2000 a piece. I must say, I do like HP products....

0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36583690
For packet-level filtering, you don't really require much performance, especially with 20Mbit of bandwidth required ... e.g., Cisco's current ISR routers 880 would be able to handle that with a moderate ACL list. 890 series to be on the safe side as far as performance reserves go (880 series does 50kpps, 890 series 100kpps - maximum value with CEF; ACL filtering will cost you some of the performance of course).
As for the suggestion concerning a Linux box, that's another alternative, which you can also use to do additional tasks, like proxy, email forwarder/server, etc ... when you get into deeper stuff like Content scanning or IDS, I could recommend a Fortinet FortiGate unit ... they're rather inexpensive compared to the features they include. 10-20Mbit of firewall throughput is handled by the smallest unit already (30), though some features are not available with it due to CPU performance. I'd go with a 60C, which has something like 30Mbit/s Antivirus throughput, and up to 500Mbit (IIRC) of firewall throughput/250Mbit IDS.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36584835
Hi,

Firewall have different purpose than the router.

I have experienced Fortigate (FG - 7 units) and Palo Alto as UTM (Firewall + multi function security device) and TippingPoint (5 units) as IPS/IDS.

FG and Palo it do have policy based route, static route with support on BGP, RIP and OSPF for dynamic routing - but it is not the main job of firewall even all the feature are convenience. Most of the time the feature is enough for you and you can do most on web GUI instead of command line (CLI).

Router in the other hand are excellent in managing network route and have limited capabilities as firewall. Most router command are done thru CLI, which means you have to face some challange when you have a lot of policies. ACL also have limitation in terms of security compare to firewall, where ACL only control IP address, firewall go more detail to the packet level. That why firewall have definition update like anti virus.

The downside of firewall is yearly maintenance as you need to pay for update every year, it may  take around 30-70% of your initial purchase. You can ask vendor on this. I do get some list price a year back, for SOHO office it will cost you around MYR 2,500 for initial purchase which is about CND 820. But you have to remember it have renewal price for each year at fraction of initial cost (which I do not have).

Having Linux box is alternative for cheap firewall. I not really suggest it to you based on our last experience - however, it is not so bad if you have dry pocket.

Personally I not experience MSR20 but it do have PBR the product page does not spell out much to comment on routing. The page also do not say deep on security features. You can compare each FG, Palo or MSR20 - try get the best of it.
0
 

Author Comment

by:edalzell
ID: 36586796
khairil / Garry-G,

Thanks for the comments... I think I am leaning towards using firewalls now.
I quickly sketched up a possible diagram, placing the 'firewalls' where our vendor has suggested.

Do you see any issues with mock up?
I just want to get my diagram down before purchasing firewalls.... :-)

Thanks again!
Network-Diagram.jpg
0
 
LVL 13

Assisted Solution

by:khairil
khairil earned 800 total points
ID: 36588757
The diagram usually unique to organization depending on what they are doing and how they want it to be.

Other thing you need to cosider:
1. Having Active or Passive unit for HA/backup in case your firewall down to avoid single point of failure.
2. You do not need to purchase 3 firewalls even the diagram shows 3. Use any available port and configure the policy to route traffic thru port for different segments.
3. Do not over protective, you might downgrade your application performance.
4. Open only needed ports on the policies to the server.
5. You also might want to consider externals access to your user and applications, I not seeing any external access (the Internet) beside what I assume your remote site.
6. Make budget for annual renewal.
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36590078
Nowadays, Firewall performance doesn't warrant fragmenting the network that far ... most current firewalls support more than just two interfaces, allowing for additional network branches, like one or more DMZ areas.

I'd just go ahead and move the web loadbalancer and web servers to either one or two DMZ ports of the firewall, same for the internal app servers (I assume the cloud on the left is also the internet uplink?)
For internet access for your users, activate content scanners to protect against virus/malware, for the servers run some IDS/IPS features (though, be prepared to invest time frequently to keep stuff up to date and check logs - an IDS is no silver bullet)
Not quite sure why you have your local users in between the internet and the "DMZ" like area ...
0
 

Author Comment

by:edalzell
ID: 36590809
Garry-G,

Ok, just to confirm... Connect both the 192.168.220.0 and the 192.168.240.0 network to the same firewall, just different (DMZ?) ports.

All users are sitting on the 192.168.0.0 network - the other networks don't need to get to the internet.
(not sure if this is what your are getting at...)
The local users sit behind a firewall (192.168.0.2), WAN users connect via Internet to same appliance.

Let me know if I'm being clear.... :-)

Thanks, your feedback and suggestions are helping!,,

E.D.
0
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 1200 total points
ID: 36591216
Yes, e.g. taking a Fortinet FortiGate 110C as a basis, you could hook up the local users to one of the GigE ports, either Web servers or App servers (depending on which one has to supply more bandwidth) to the other GigE port, then the other lan port and Internet uplink to two of the remaining 8 100M ethernet ports. All segments can then be nicely policed against each other, thereby blocking all unnecessary or unwanted data communication. In order to prevent SPOF, you could also add a second FW as a active/passive or active/active solution either at initial deployment, or also at a later time.

If necessary, segmentation could also be taken even further by setting up VLANs for each type of server or physical machine, but in most cases this would take the whole thing a bit far (at least for almost any customer I've come across ...)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Netscaler #MSSQL #Load Balance
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month8 days, 2 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question