bertel
12-18-2004, 12:06 PM
Hi all, my first post here...
I'll be moving into a new office soon, and are planning my new network.
I know how to build a small network and set up routing etc., but am a bit of a newbie when it comes to security. I have the following requirements:
- A public web- and ftp server. The server is only for testing and demo purposes for client projects (no critical data, only a couple of connections a day, dynamic DNS)
- Wired network containing fileserver and two workstations.
- Wireless network for Notebook(s)
I have various parts lying around I could use for this. The DSL Router is a Draytek model capable of port forwarding and DMZ. The firewall is a simple box with 3 NICs where I plan to install the ClarkConnect Firewall/VPN. Wireless access to the wired part of the network should only be allowed through a VPN tunnel.
Here are the two configurations I have in mind:
http://img142.exs.cx/img142/8652/netzwerk1a1dv.jpg
- DSL router forwards ports 80 and 21 to Webserver, everything else to second router/firewall
http://img142.exs.cx/img142/7198/netzwerk1b2ek.jpg
- Everything goes to firewall with intrusion detection/prevention, then forwards ports 80 and 21 to Webserver
(The first router is still required as it has the DSL modem built-in)
As I understand it, the first case has less protection for the webserver, but if someone makes it into it, the main network is still secure. The second way would have more security for the webserver because of the firewalls packet filtering and intrusion detection. But if it is compromised, so is the entire LAN because the intruder has control over a machine "inside".
I realize this might be a bit overkill for the task, but I see it as an excercise in networking as well. So any comments on this will be greatly appreciated.
Thanks,
bertel
I'll be moving into a new office soon, and are planning my new network.
I know how to build a small network and set up routing etc., but am a bit of a newbie when it comes to security. I have the following requirements:
- A public web- and ftp server. The server is only for testing and demo purposes for client projects (no critical data, only a couple of connections a day, dynamic DNS)
- Wired network containing fileserver and two workstations.
- Wireless network for Notebook(s)
I have various parts lying around I could use for this. The DSL Router is a Draytek model capable of port forwarding and DMZ. The firewall is a simple box with 3 NICs where I plan to install the ClarkConnect Firewall/VPN. Wireless access to the wired part of the network should only be allowed through a VPN tunnel.
Here are the two configurations I have in mind:
http://img142.exs.cx/img142/8652/netzwerk1a1dv.jpg
- DSL router forwards ports 80 and 21 to Webserver, everything else to second router/firewall
http://img142.exs.cx/img142/7198/netzwerk1b2ek.jpg
- Everything goes to firewall with intrusion detection/prevention, then forwards ports 80 and 21 to Webserver
(The first router is still required as it has the DSL modem built-in)
As I understand it, the first case has less protection for the webserver, but if someone makes it into it, the main network is still secure. The second way would have more security for the webserver because of the firewalls packet filtering and intrusion detection. But if it is compromised, so is the entire LAN because the intruder has control over a machine "inside".
I realize this might be a bit overkill for the task, but I see it as an excercise in networking as well. So any comments on this will be greatly appreciated.
Thanks,
bertel