Network design question and router recommendations

I've been assigned a project where I need to use our current LAN and create 2 additional subnets - see diagram. I have all the hardware except the 'firewalls'. I was assuming I was going to use router, but am open to suggestions.
(The router/firewalls would simply allow access from Network 1 into network 2 & 3 from specifc IPs, (ACLs, I guess) i.e. - can route to &, etc.. but that's it.)

I am looking for 2 things....
1. Suggestions/recommnedations on network design.

2. Devices to use as router or firewalls - assuming I don't need to spend $1500+ per router.

Any advise would be appreciated!

E.D. Network design
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Garry GlendownConnect With a Mentor Consulting and Network/Security SpecialistCommented:
Yes, e.g. taking a Fortinet FortiGate 110C as a basis, you could hook up the local users to one of the GigE ports, either Web servers or App servers (depending on which one has to supply more bandwidth) to the other GigE port, then the other lan port and Internet uplink to two of the remaining 8 100M ethernet ports. All segments can then be nicely policed against each other, thereby blocking all unnecessary or unwanted data communication. In order to prevent SPOF, you could also add a second FW as a active/passive or active/active solution either at initial deployment, or also at a later time.

If necessary, segmentation could also be taken even further by setting up VLANs for each type of server or physical machine, but in most cases this would take the whole thing a bit far (at least for almost any customer I've come across ...)
edalzellAuthor Commented:
FYI... local vendor just recommended HP A-MSR20 Series to use as the 'firewall'.... about $800 CND each. :-)
Garry GlendownConsulting and Network/Security SpecialistCommented:
What amount of bandwidth do you expect to transport over the links? What features do you require the firewalls to have? Simple packet-level ACL, stateful, content scanning, IDS/IDP?
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations


You can use your router or 3 layer switch to control ACLs. However it is daunting task to do. Especially when you got a lot of policies.

You might want to plan for the feature too, the traffic control will be on both side, external to internal and vice versa. It is better for you to have dedicated router and firewall device separately for easy maintenance and management.

The price of firewall depend on what you feature you like to have and capacity of the device in terms of throughput and bandwith. Here are some of vendor of devices that you choose from HP TippingPoint (, Palo Alto (, Fortinet (, Netscreen (

It is expensive device, but they do have one for small business with cheaper price, even a few of them offer for home usage. The no so good side is, you have to maintain it every year with some percent of sales value.

Other way to go, is having Linux box as firewall and IPS/IDS. There a lot Linux distro being delivered as IPS/IDS like Devil Linux ( But base on our experience, you will find hard time tuning and manage it and patch it and compile it.. fuuhhh.
edalzellAuthor Commented:

What amount of bandwidth do you expect to transport over the links? Hard to say... maybe 200-300 concurrent connections. 10-20Mb at the most? (just guessing)

What features do you require the firewalls to have? just simple packet-level ACL.

Thanks! :-)
edalzellAuthor Commented:

 What's better to use 'firewall' or a router? Any thoughts on the HP A-MSR20?
I assume if it'll do layer 3, it'll work.....

I'd like something simple to manage, reliable, fit nicely into my rack.... and of course... not $2000 a piece. I must say, I do like HP products....

Garry GlendownConsulting and Network/Security SpecialistCommented:
For packet-level filtering, you don't really require much performance, especially with 20Mbit of bandwidth required ... e.g., Cisco's current ISR routers 880 would be able to handle that with a moderate ACL list. 890 series to be on the safe side as far as performance reserves go (880 series does 50kpps, 890 series 100kpps - maximum value with CEF; ACL filtering will cost you some of the performance of course).
As for the suggestion concerning a Linux box, that's another alternative, which you can also use to do additional tasks, like proxy, email forwarder/server, etc ... when you get into deeper stuff like Content scanning or IDS, I could recommend a Fortinet FortiGate unit ... they're rather inexpensive compared to the features they include. 10-20Mbit of firewall throughput is handled by the smallest unit already (30), though some features are not available with it due to CPU performance. I'd go with a 60C, which has something like 30Mbit/s Antivirus throughput, and up to 500Mbit (IIRC) of firewall throughput/250Mbit IDS.

Firewall have different purpose than the router.

I have experienced Fortigate (FG - 7 units) and Palo Alto as UTM (Firewall + multi function security device) and TippingPoint (5 units) as IPS/IDS.

FG and Palo it do have policy based route, static route with support on BGP, RIP and OSPF for dynamic routing - but it is not the main job of firewall even all the feature are convenience. Most of the time the feature is enough for you and you can do most on web GUI instead of command line (CLI).

Router in the other hand are excellent in managing network route and have limited capabilities as firewall. Most router command are done thru CLI, which means you have to face some challange when you have a lot of policies. ACL also have limitation in terms of security compare to firewall, where ACL only control IP address, firewall go more detail to the packet level. That why firewall have definition update like anti virus.

The downside of firewall is yearly maintenance as you need to pay for update every year, it may  take around 30-70% of your initial purchase. You can ask vendor on this. I do get some list price a year back, for SOHO office it will cost you around MYR 2,500 for initial purchase which is about CND 820. But you have to remember it have renewal price for each year at fraction of initial cost (which I do not have).

Having Linux box is alternative for cheap firewall. I not really suggest it to you based on our last experience - however, it is not so bad if you have dry pocket.

Personally I not experience MSR20 but it do have PBR the product page does not spell out much to comment on routing. The page also do not say deep on security features. You can compare each FG, Palo or MSR20 - try get the best of it.
edalzellAuthor Commented:
khairil / Garry-G,

Thanks for the comments... I think I am leaning towards using firewalls now.
I quickly sketched up a possible diagram, placing the 'firewalls' where our vendor has suggested.

Do you see any issues with mock up?
I just want to get my diagram down before purchasing firewalls.... :-)

Thanks again!
khairilConnect With a Mentor Commented:
The diagram usually unique to organization depending on what they are doing and how they want it to be.

Other thing you need to cosider:
1. Having Active or Passive unit for HA/backup in case your firewall down to avoid single point of failure.
2. You do not need to purchase 3 firewalls even the diagram shows 3. Use any available port and configure the policy to route traffic thru port for different segments.
3. Do not over protective, you might downgrade your application performance.
4. Open only needed ports on the policies to the server.
5. You also might want to consider externals access to your user and applications, I not seeing any external access (the Internet) beside what I assume your remote site.
6. Make budget for annual renewal.
Garry GlendownConsulting and Network/Security SpecialistCommented:
Nowadays, Firewall performance doesn't warrant fragmenting the network that far ... most current firewalls support more than just two interfaces, allowing for additional network branches, like one or more DMZ areas.

I'd just go ahead and move the web loadbalancer and web servers to either one or two DMZ ports of the firewall, same for the internal app servers (I assume the cloud on the left is also the internet uplink?)
For internet access for your users, activate content scanners to protect against virus/malware, for the servers run some IDS/IPS features (though, be prepared to invest time frequently to keep stuff up to date and check logs - an IDS is no silver bullet)
Not quite sure why you have your local users in between the internet and the "DMZ" like area ...
edalzellAuthor Commented:

Ok, just to confirm... Connect both the and the network to the same firewall, just different (DMZ?) ports.

All users are sitting on the network - the other networks don't need to get to the internet.
(not sure if this is what your are getting at...)
The local users sit behind a firewall (, WAN users connect via Internet to same appliance.

Let me know if I'm being clear.... :-)

Thanks, your feedback and suggestions are helping!,,

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.