[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1301
  • Last Modified:

Advice on how to properly redesign our company network... (DMZ's & Vlans)

Hello Experts!

I'm a bit of a novice so bear with me. I am looking for some advice and recommendations on how to restructure my companies network. We have 4 webservers, 4 sql servers, one domain controller, two mail servers, 15 local machines a VOIP PBX.

Our exchange server (used by internal employees) is running server 2003 and that makes me concerned about our network security. We also have an Imail server, and manage about 20 domains and 100 mailboxes. Right now we do not have any VLANS or a DMZ configured.

All of our machines are on one subnet behind a Cisco ASA (and two 24 port linksys switches). All of our workstations are on another subnet being the ASA (on the same switches.)

How would you suggest we restructure the network to increase security? There is a budget for new hardware so you can consider that also..

Thank you for your time and thoughtful replies!
  • 5
  • 3
1 Solution
split depts into VLANS -  so you have control over each port and user. A malicious user can no longer just plug their workstation into any switch port and sniff the network traffic using a packet sniffer.

also VLANs help to restrict sensitive traffic originating from an department within itself by using ACL's (Access control lists)

place webservers in DMZ.

this is a starting point.
coldfirenjAuthor Commented:
Hey Mo, can you provide any more rationale or info for your suggestions?
first look at buying a core switch cisco one would be good.  i suggest contacting an IT reseller and asking them, get them to do the work and suggest some switches that meet your needs

then split the network into vlans on dC

On core swtich create the vlans.

vlan1 - Servers i.e. file servers, exchange,
vlan2 - specific server i.e. sql server
vlan3 - finance servers ......
vlan10 - finance dept
vlan11 - cusomer services dept .....

assign ports to vlans on switch. and keep rest of the ports disabled.


If all ok then slowly and by documenting start closing off connections using the ACL in the core switch so only say for example the finance dept can access finance server and so on.

Also look at maybe purchasing some SIEM tool so you can log and correlate all important events.

these is lots and lots of more things you can do, but this is a decent starting point.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

coldfirenjAuthor Commented:
Would you suggest putting web severs and their corresponding SQL servers in the same VLAN or on seperate vlans?
coldfirenjAuthor Commented:
Also for the DMZ. We should place our two mail servers (Imail and exchange) & the webservers in there? Would the CF and SQL databases be inside or outside of the DMZ?
no always put webservers in the DMZ.

Leave SQL server on the LAN.

not sure what Imail is, if its some fort of spam/virus checker, then i suggest placing that on the DMZ and leaving the exchange on the LAN.
coldfirenjAuthor Commented:
Imail is a mail server, like exchange. We use both... Exchange for internal employees & Imail for the external domains & the users that we manage. So, both mail servers should be on the inside (not DMZ)? Should we seperate them with VLANs? My gut tells me to put both outside on the DMZ since port 25 is getting slammed all the time with spammers and the like?

You are saying that only webservers should go on the outside? What about our VOIP PBX?
How many interfaces do you have on your ASA?

You mention DMZ on the "outside", I hope you don't mean in front of the ASA.

What I would suggest is you setup what is called a 3 legged dog DMZ.  The ASA will use at least 3 interfaces;

1) Front: The Internet. (a.k.a outisde)
2) Side: The DMZ.
3) Back: (a.k.a Inside) Your internal protected network.

Doing this allows you to filter traffic to the "DMZ" hosts and give them some layer of protecting.

Get a decent L3 switch.  A L3 switch can support being a router.  Then divide your inside network into multiple VLAN/IP Subnets.  That way your ASA is not routing traffic to hosts that are on the "inside".

How you VLAN it off is up to you. I would suggest at a minimum.

VLAN100 - Domain Controllers and Exchange Servers
VLAN101 - SQL Servers
VLAN200 - Users

The VLAN number really means nothing, you can use whatever number system you want.  But you could make all 1xx servers, and all 2xx users.  That way if you need to isolate one group of users from another, or grow large enough to justify another IP subnet, you just create VLAN201.

You can decide if you need to put certain users or server into a unique VLAN/IP subnet to isolate their traffic more than what I have described.
coldfirenjAuthor Commented:
Hi Giltjr and thank you for your insights. We have 8 interfaces on our ASA so we do have some flexibility. No L3 switch yet, I've been asking for years... Thank you for your advice!

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now