Advice on how to properly redesign our company network... (DMZ's & Vlans)

Posted on 2012-08-17
Last Modified: 2012-08-23
Hello Experts!

I'm a bit of a novice so bear with me. I am looking for some advice and recommendations on how to restructure my companies network. We have 4 webservers, 4 sql servers, one domain controller, two mail servers, 15 local machines a VOIP PBX.

Our exchange server (used by internal employees) is running server 2003 and that makes me concerned about our network security. We also have an Imail server, and manage about 20 domains and 100 mailboxes. Right now we do not have any VLANS or a DMZ configured.

All of our machines are on one subnet behind a Cisco ASA (and two 24 port linksys switches). All of our workstations are on another subnet being the ASA (on the same switches.)

How would you suggest we restructure the network to increase security? There is a budget for new hardware so you can consider that also..

Thank you for your time and thoughtful replies!
Question by:coldfirenj
    LVL 6

    Expert Comment

    split depts into VLANS -  so you have control over each port and user. A malicious user can no longer just plug their workstation into any switch port and sniff the network traffic using a packet sniffer.

    also VLANs help to restrict sensitive traffic originating from an department within itself by using ACL's (Access control lists)

    place webservers in DMZ.

    this is a starting point.

    Author Comment

    Hey Mo, can you provide any more rationale or info for your suggestions?
    LVL 6

    Expert Comment

    first look at buying a core switch cisco one would be good.  i suggest contacting an IT reseller and asking them, get them to do the work and suggest some switches that meet your needs

    then split the network into vlans on dC

    On core swtich create the vlans.

    vlan1 - Servers i.e. file servers, exchange,
    vlan2 - specific server i.e. sql server
    vlan3 - finance servers ......
    vlan10 - finance dept
    vlan11 - cusomer services dept .....

    assign ports to vlans on switch. and keep rest of the ports disabled.


    If all ok then slowly and by documenting start closing off connections using the ACL in the core switch so only say for example the finance dept can access finance server and so on.

    Also look at maybe purchasing some SIEM tool so you can log and correlate all important events.

    these is lots and lots of more things you can do, but this is a decent starting point.

    Author Comment

    Would you suggest putting web severs and their corresponding SQL servers in the same VLAN or on seperate vlans?

    Author Comment

    Also for the DMZ. We should place our two mail servers (Imail and exchange) & the webservers in there? Would the CF and SQL databases be inside or outside of the DMZ?
    LVL 6

    Expert Comment

    no always put webservers in the DMZ.

    Leave SQL server on the LAN.

    not sure what Imail is, if its some fort of spam/virus checker, then i suggest placing that on the DMZ and leaving the exchange on the LAN.

    Author Comment

    Imail is a mail server, like exchange. We use both... Exchange for internal employees & Imail for the external domains & the users that we manage. So, both mail servers should be on the inside (not DMZ)? Should we seperate them with VLANs? My gut tells me to put both outside on the DMZ since port 25 is getting slammed all the time with spammers and the like?

    You are saying that only webservers should go on the outside? What about our VOIP PBX?
    LVL 57

    Accepted Solution

    How many interfaces do you have on your ASA?

    You mention DMZ on the "outside", I hope you don't mean in front of the ASA.

    What I would suggest is you setup what is called a 3 legged dog DMZ.  The ASA will use at least 3 interfaces;

    1) Front: The Internet. (a.k.a outisde)
    2) Side: The DMZ.
    3) Back: (a.k.a Inside) Your internal protected network.

    Doing this allows you to filter traffic to the "DMZ" hosts and give them some layer of protecting.

    Get a decent L3 switch.  A L3 switch can support being a router.  Then divide your inside network into multiple VLAN/IP Subnets.  That way your ASA is not routing traffic to hosts that are on the "inside".

    How you VLAN it off is up to you. I would suggest at a minimum.

    VLAN100 - Domain Controllers and Exchange Servers
    VLAN101 - SQL Servers
    VLAN200 - Users

    The VLAN number really means nothing, you can use whatever number system you want.  But you could make all 1xx servers, and all 2xx users.  That way if you need to isolate one group of users from another, or grow large enough to justify another IP subnet, you just create VLAN201.

    You can decide if you need to put certain users or server into a unique VLAN/IP subnet to isolate their traffic more than what I have described.

    Author Comment

    Hi Giltjr and thank you for your insights. We have 8 interfaces on our ASA so we do have some flexibility. No L3 switch yet, I've been asking for years... Thank you for your advice!

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now