General discussion

Locked

Network design

By qmd61 ·
My network have 2 routers with 2 separate subnet, both router connect to a T1 modem to provide Internet connection. The first router consist a Web Server an FTP server, the second router is private network. Users on my private network would like to proccess data on FTP server and Web server. How could I do to enable this security connection on difference subnet and still protect my private network?

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by mshavrov In reply to Network design

Easiest and most correct way - install firewall to interconnect LAN and DMZ. It depends on your budget. Theoreticaly you should not use routers as your only solution for security. General idea is in using firewall since it provides statefull security (it tracks your incoming and outgoing TCP sessions and UDP flows).

What can you do in this situation:

1. Buy 3-4 interfaces firewall. I prefere Cisco PIX or Checkpoint, but it can be anything.

2. Connect your 2 Internet routers together through small hub or switch. Or connect both T1 cards to one router and configure "policy routing", when you send one type of traffic through one link, and rest of the traffic through another.

3. Connect all your "public" servers to DMZ interface and configure appropriate rules and address translations.

4. Connect your LAN to "inside" interface.

It's very general view of "best security practices". Sure, you may just install router between your "servers lan" and "users lan", configure NAT and routing, but again, its not recommended solution.

If you have more questions on network and security design, send me e-mail.

Good luck,

Michael Shavrov
CCSP, CCNP, CCDP, CSS1, Security+, MCSE W2K, Checkpoint CCSA.

Collapse -

by -Q-240248 In reply to Network design

Either add routes on your "T1 Modem router" to each network, statically, or connect the two internal routers together via Ethernet connection and add those LAN routes to each LAN on each router.

Collapse -

by Deadly Ernest In reply to Network design

If you have a free port on each router the easiest and safest way would be to run a link between the routers and then place an entry in each table to allow the private network router to send to the other router but not allow the reverse, ie one way traffic is established. This will restrict connection establishment to those in the restriceted network.

Back to Networks Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums