2 or 1 networks?
We are moving into 2 new buildings. One is a church and the other is an admin building, corporate. There will be fiber connecting both buildings.
Option 1
I'm debating whether it's better for the church to have it's own separate ISP connection, firewall, it's own switches and not be tied to the admin building in any way, or option 2.
Option 2
Or should I just have one ISP connection for both the admin and church buildings, and have switches that I manage on their own vlans for the church, but have one big network for both buildings?
Any idea's for best practice. For management purposes, it's easier to just have one large network instead of creating two separate ones, with each having their own ISP connections.
Any recommendations, and why for each case.
Option 1
I'm debating whether it's better for the church to have it's own separate ISP connection, firewall, it's own switches and not be tied to the admin building in any way, or option 2.
Option 2
Or should I just have one ISP connection for both the admin and church buildings, and have switches that I manage on their own vlans for the church, but have one big network for both buildings?
Any idea's for best practice. For management purposes, it's easier to just have one large network instead of creating two separate ones, with each having their own ISP connections.
Any recommendations, and why for each case.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We can't go with 2 different ISPs, but only one, as we're still in contract with our current provider. We were just thinking if we should have a 50mb/s pipe for the church and the 200mb/s pipe for the admin building. The ISP said if we just have 1 pipe, we can go to a full Gig pipe for the same price of the two different pipes. The company is not going to pay for two different ISPs, one for redundancy, as the funds are not available.
The church is owned by the same company that is building the admin building. I was just thinking to reduce any risk if someone plugs a laptop on the LAN, to not cross over to the admin building, but I guess if my vlans are configured correctly, I don't need to worry about that.
I was also just thinking if we rent the church every weekend to another church, I wanted to have something in place that as mentioned above, some security so our LAN is not accessible from the church.
I would be the one managing both if we do have separate circuits. I plan to use all my old switches for the church, mostly 3750G switches, all gig and POE.
I came up with a design, so I have to draw it up, so I'll attach that as soon as I have a soft copy.
I currently am using a Sophos firewall, which we like and have already paid for the subscriptions, so I'm sure management will not want to upgrade at this point.
The church is owned by the same company that is building the admin building. I was just thinking to reduce any risk if someone plugs a laptop on the LAN, to not cross over to the admin building, but I guess if my vlans are configured correctly, I don't need to worry about that.
I was also just thinking if we rent the church every weekend to another church, I wanted to have something in place that as mentioned above, some security so our LAN is not accessible from the church.
I would be the one managing both if we do have separate circuits. I plan to use all my old switches for the church, mostly 3750G switches, all gig and POE.
I came up with a design, so I have to draw it up, so I'll attach that as soon as I have a soft copy.
I currently am using a Sophos firewall, which we like and have already paid for the subscriptions, so I'm sure management will not want to upgrade at this point.
The firewall will be the critical component to your design. You can also take advantage of technologies like port security to further bolt down the network in the church building.
I would go with the 1 internet connection. Adding the second is just going to ramp your risk. It's just a benefit that you'll be able to crank the bandwidth.
I know you are noting that you already have the Sophos firewall but I would bet that one of two things is on your horizon -
1. A different firewall solution
2. An additional firewall in the network
Again, its kind of tough to get to deep into details on the limited information in the requests, especially when the data is being segmented over multiple questions.
I would go with the 1 internet connection. Adding the second is just going to ramp your risk. It's just a benefit that you'll be able to crank the bandwidth.
I know you are noting that you already have the Sophos firewall but I would bet that one of two things is on your horizon -
1. A different firewall solution
2. An additional firewall in the network
Again, its kind of tough to get to deep into details on the limited information in the requests, especially when the data is being segmented over multiple questions.
We can't go with 2 different ISPs, but only one, as we're still in contract with our current provider.
Your ISP should be able to give you a block of 6 external IP addresses and these are separate and different . Similar to what Fred posted above.
Your ISP should be able to give you a block of 6 external IP addresses and these are separate and different . Similar to what Fred posted above.
Maybe worth considering applying sticky ports to the switches to reduce concerns of unauthorised users plugging into your LAN if this is your main concern?
Firewall...firewalll....fi
Switches and routers are not real security devices and never will be
They can segregate networks
But it’s not a firewall provides true security in this scenario
And they can also switch and route
There is no better solution.....
Switches and routers are not real security devices and never will be
They can segregate networks
But it’s not a firewall provides true security in this scenario
And they can also switch and route
There is no better solution.....
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I suppose that I should clarify. My intent wasn't to indicate that you should go with two separate ISP's. What I was trying to get at was the idea of dual Internet pipes. The principles still remain the same.
ASKER
UPdate, management said that they want to different internet connections for each building, to make it more secure, so I guess that answers my question. It's not official, as it was only one VP that made that decision, but I'm hoping that next week, the leadership team officially makes the decision, so I have a path forward of which way to start designing the network or networks.
I'll provide an update as soon as I have one.
I'll provide an update as soon as I have one.
Please keep us posted
You did tell said VP that as long as the two facilities are linked with a data path between them, that the install of a second inet connection, especially if not independently firewalled, is by definition, less secure?
ASKER
thanks guys for the input
You are very welcome and I was happy to help
https://www.experts-exchan