General discussion

  • Creator
  • #2280108

    Network design


    by qmd61 ·

    My network have 2 routers with 2 separate subnet, both router connect to a T1 modem to provide Internet connection. The first router consist a Web Server an FTP server, the second router is private network. Users on my private network would like to proccess data on FTP server and Web server. How could I do to enable this security connection on difference subnet and still protect my private network?

All Comments

  • Author
    • #3378052

      Reply To: Network design

      by mshavrov ·

      In reply to Network design

      Easiest and most correct way – install firewall to interconnect LAN and DMZ. It depends on your budget. Theoreticaly you should not use routers as your only solution for security. General idea is in using firewall since it provides statefull security (it tracks your incoming and outgoing TCP sessions and UDP flows).

      What can you do in this situation:

      1. Buy 3-4 interfaces firewall. I prefere Cisco PIX or Checkpoint, but it can be anything.

      2. Connect your 2 Internet routers together through small hub or switch. Or connect both T1 cards to one router and configure “policy routing”, when you send one type of traffic through one link, and rest of the traffic through another.

      3. Connect all your “public” servers to DMZ interface and configure appropriate rules and address translations.

      4. Connect your LAN to “inside” interface.

      It’s very general view of “best security practices”. Sure, you may just install router between your “servers lan” and “users lan”, configure NAT and routing, but again, its not recommended solution.

      If you have more questions on network and security design, send me e-mail.

      Good luck,

      Michael Shavrov
      CCSP, CCNP, CCDP, CSS1, Security+, MCSE W2K, Checkpoint CCSA.

    • #3365346

      Reply To: Network design

      by Anonymous ·

      In reply to Network design

      Either add routes on your “T1 Modem router” to each network, statically, or connect the two internal routers together via Ethernet connection and add those LAN routes to each LAN on each router.

    • #3375418

      Reply To: Network design

      by deadly ernest ·

      In reply to Network design

      If you have a free port on each router the easiest and safest way would be to run a link between the routers and then place an entry in each table to allow the private network router to send to the other router but not allow the reverse, ie one way traffic is established. This will restrict connection establishment to those in the restriceted network.

Viewing 2 reply threads