Solved

Network design question and router recommendations

Posted on 2011-09-22
12
331 Views
Last Modified: 2012-08-13
I've been assigned a project where I need to use our current LAN and create 2 additional subnets - see diagram. I have all the hardware except the 'firewalls'. I was assuming I was going to use router, but am open to suggestions.
(The router/firewalls would simply allow access from Network 1 into network 2 & 3 from specifc IPs, (ACLs, I guess) i.e. - 192.168.0.10 can route to 192.168.250.0 & 192.168.0.240, etc.. but that's it.)

I am looking for 2 things....
1. Suggestions/recommnedations on network design.

2. Devices to use as router or firewalls - assuming I don't need to spend $1500+ per router.

Any advise would be appreciated!

E.D. Network design
0
Comment
Question by:edalzell
  • 5
  • 4
  • 3
12 Comments
 

Author Comment

by:edalzell
Comment Utility
FYI... local vendor just recommended HP A-MSR20 Series to use as the 'firewall'.... about $800 CND each. :-)
0
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
What amount of bandwidth do you expect to transport over the links? What features do you require the firewalls to have? Simple packet-level ACL, stateful, content scanning, IDS/IDP?
0
 
LVL 13

Expert Comment

by:khairil
Comment Utility
Hi,

You can use your router or 3 layer switch to control ACLs. However it is daunting task to do. Especially when you got a lot of policies.

You might want to plan for the feature too, the traffic control will be on both side, external to internal and vice versa. It is better for you to have dedicated router and firewall device separately for easy maintenance and management.

The price of firewall depend on what you feature you like to have and capacity of the device in terms of throughput and bandwith. Here are some of vendor of devices that you choose from HP TippingPoint (http://tippingpoint.com), Palo Alto (http://www.paloaltonetworks.com), Fortinet (http://www.fortinet.com), Netscreen (http://www.juniper.net).

It is expensive device, but they do have one for small business with cheaper price, even a few of them offer for home usage. The no so good side is, you have to maintain it every year with some percent of sales value.

Other way to go, is having Linux box as firewall and IPS/IDS. There a lot Linux distro being delivered as IPS/IDS like Devil Linux (http://www.devil-linux.org). But base on our experience, you will find hard time tuning and manage it and patch it and compile it.. fuuhhh.
0
 

Author Comment

by:edalzell
Comment Utility
Garry-G,

What amount of bandwidth do you expect to transport over the links? Hard to say... maybe 200-300 concurrent connections. 10-20Mb at the most? (just guessing)

What features do you require the firewalls to have? just simple packet-level ACL.

Thanks! :-)
0
 

Author Comment

by:edalzell
Comment Utility
Khairil,

 What's better to use 'firewall' or a router? Any thoughts on the HP A-MSR20?
I assume if it'll do layer 3, it'll work.....

I'd like something simple to manage, reliable, fit nicely into my rack.... and of course... not $2000 a piece. I must say, I do like HP products....

0
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
For packet-level filtering, you don't really require much performance, especially with 20Mbit of bandwidth required ... e.g., Cisco's current ISR routers 880 would be able to handle that with a moderate ACL list. 890 series to be on the safe side as far as performance reserves go (880 series does 50kpps, 890 series 100kpps - maximum value with CEF; ACL filtering will cost you some of the performance of course).
As for the suggestion concerning a Linux box, that's another alternative, which you can also use to do additional tasks, like proxy, email forwarder/server, etc ... when you get into deeper stuff like Content scanning or IDS, I could recommend a Fortinet FortiGate unit ... they're rather inexpensive compared to the features they include. 10-20Mbit of firewall throughput is handled by the smallest unit already (30), though some features are not available with it due to CPU performance. I'd go with a 60C, which has something like 30Mbit/s Antivirus throughput, and up to 500Mbit (IIRC) of firewall throughput/250Mbit IDS.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 13

Expert Comment

by:khairil
Comment Utility
Hi,

Firewall have different purpose than the router.

I have experienced Fortigate (FG - 7 units) and Palo Alto as UTM (Firewall + multi function security device) and TippingPoint (5 units) as IPS/IDS.

FG and Palo it do have policy based route, static route with support on BGP, RIP and OSPF for dynamic routing - but it is not the main job of firewall even all the feature are convenience. Most of the time the feature is enough for you and you can do most on web GUI instead of command line (CLI).

Router in the other hand are excellent in managing network route and have limited capabilities as firewall. Most router command are done thru CLI, which means you have to face some challange when you have a lot of policies. ACL also have limitation in terms of security compare to firewall, where ACL only control IP address, firewall go more detail to the packet level. That why firewall have definition update like anti virus.

The downside of firewall is yearly maintenance as you need to pay for update every year, it may  take around 30-70% of your initial purchase. You can ask vendor on this. I do get some list price a year back, for SOHO office it will cost you around MYR 2,500 for initial purchase which is about CND 820. But you have to remember it have renewal price for each year at fraction of initial cost (which I do not have).

Having Linux box is alternative for cheap firewall. I not really suggest it to you based on our last experience - however, it is not so bad if you have dry pocket.

Personally I not experience MSR20 but it do have PBR the product page does not spell out much to comment on routing. The page also do not say deep on security features. You can compare each FG, Palo or MSR20 - try get the best of it.
0
 

Author Comment

by:edalzell
Comment Utility
khairil / Garry-G,

Thanks for the comments... I think I am leaning towards using firewalls now.
I quickly sketched up a possible diagram, placing the 'firewalls' where our vendor has suggested.

Do you see any issues with mock up?
I just want to get my diagram down before purchasing firewalls.... :-)

Thanks again!
Network-Diagram.jpg
0
 
LVL 13

Assisted Solution

by:khairil
khairil earned 200 total points
Comment Utility
The diagram usually unique to organization depending on what they are doing and how they want it to be.

Other thing you need to cosider:
1. Having Active or Passive unit for HA/backup in case your firewall down to avoid single point of failure.
2. You do not need to purchase 3 firewalls even the diagram shows 3. Use any available port and configure the policy to route traffic thru port for different segments.
3. Do not over protective, you might downgrade your application performance.
4. Open only needed ports on the policies to the server.
5. You also might want to consider externals access to your user and applications, I not seeing any external access (the Internet) beside what I assume your remote site.
6. Make budget for annual renewal.
0
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
Nowadays, Firewall performance doesn't warrant fragmenting the network that far ... most current firewalls support more than just two interfaces, allowing for additional network branches, like one or more DMZ areas.

I'd just go ahead and move the web loadbalancer and web servers to either one or two DMZ ports of the firewall, same for the internal app servers (I assume the cloud on the left is also the internet uplink?)
For internet access for your users, activate content scanners to protect against virus/malware, for the servers run some IDS/IPS features (though, be prepared to invest time frequently to keep stuff up to date and check logs - an IDS is no silver bullet)
Not quite sure why you have your local users in between the internet and the "DMZ" like area ...
0
 

Author Comment

by:edalzell
Comment Utility
Garry-G,

Ok, just to confirm... Connect both the 192.168.220.0 and the 192.168.240.0 network to the same firewall, just different (DMZ?) ports.

All users are sitting on the 192.168.0.0 network - the other networks don't need to get to the internet.
(not sure if this is what your are getting at...)
The local users sit behind a firewall (192.168.0.2), WAN users connect via Internet to same appliance.

Let me know if I'm being clear.... :-)

Thanks, your feedback and suggestions are helping!,,

E.D.
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 300 total points
Comment Utility
Yes, e.g. taking a Fortinet FortiGate 110C as a basis, you could hook up the local users to one of the GigE ports, either Web servers or App servers (depending on which one has to supply more bandwidth) to the other GigE port, then the other lan port and Internet uplink to two of the remaining 8 100M ethernet ports. All segments can then be nicely policed against each other, thereby blocking all unnecessary or unwanted data communication. In order to prevent SPOF, you could also add a second FW as a active/passive or active/active solution either at initial deployment, or also at a later time.

If necessary, segmentation could also be taken even further by setting up VLANs for each type of server or physical machine, but in most cases this would take the whole thing a bit far (at least for almost any customer I've come across ...)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now