Replies to This Discussion

Permalink Reply by Kyi Thar on December 19, 2008 at 4:56pm

just some comments.

1) is there any business reasons for segregating division/department into separate networks with their own firewalls/proxy? in my opinion, it would be easier to manage the network by using a single firewall/router (may be cisco 2800 series or 3800 series with multiple Ethernet ports) for internal networks. if the division/departments need to be segregated, may be you can setup in different vlans.

2) generally web or mail servers are usually placed in a DMZ rather than the internal LAN.

3) customer internet access wireless network can be implement as separate network (may be separate physical interface rather than a vlan) in the same router/firewall.

4) it is possible to combine all proxy servers into one. it is possible to setup different access rules for different networks. it will be easier to manage one server than severals.

• ▶ Reply

Permalink Reply by Kyaw Kyaw Khine on December 19, 2008 at 11:45pm

1. Your DNS server is overly protected, making name lookups inefficient and will end up having complicated firewall rules.
a. DNS server has to go through 4 firewalls to do external lookups.
b. Hosts in other division have to go through 2 firewalls to access DNS lookups.
(In general, there should be internal and external DNS servers. External DNS servers should be in DMZ along with mail and web servers - as Ko Kyi Thar pointed in bullet #2).

2. There is a firewall at every entry/exit point of each division. How will you achieve inter-division routing with firewalls in the middle? Either you have to run dynamic routing on firewalls (which probably is not a good idea) or you have to add static routes (which could be even worse).
Think of a solution to enable inter-division dynamic routing.

3. Wireless and wired clients should not be on the same LAN. It is a good practice to add a firewall or a packet filtering device between wired and wireless networks.

• ▶ Reply

Permalink Reply by Jake on December 20, 2008 at 12:15am

Just my two cents.

I would rather use L3 switch instead of 4-port router-firewall in the core.
I would not place wireless AP in-line between edge router and core router because it's another point of failure and nothing but just adding latency.
I would remove all internal firewalls and connect core switch and distribution/access switch directly.

For additional, if you want more security as I see from you diagram with a lot of internal firewalls, I would suggest to use IDS/IPS in-line between edge router (Internet connection) and core router/switch. Then Network Access Control device to connect the core switch for controlling internal access to network resources. Wireless network should also be separated and terminated at core switch. For example, use Cisco WLC to connect the core switch and then the APs to connect to WLC rather than connecting to local switches.

Might not be the perfect suggestion depending on the requirements.

• ▶ Reply

Permalink Reply by Lynn Htun on March 6, 2012 at 9:07am

I got nothing to add apart from suggesting to you to trial and error.  That's the best way you will learn.  Set up a small test network with whatever equipments available to you. If you make a mistake, you will always remember it because you made that mistake yourself and you wont be doing that again.

Everyone design network differently depending upon the need and requirement of their business or their project.  If you ask them just by showing a network diagram without explaining what your requirements are and what you are trying to achieve, they will end up giving you advices based upon your diagram rather than your requirement.  

The best way to design a network is by first establishing what your requirements are and what your budget for the project is, then design the network based upon achieving these requirements with the budget you have and scalability for future upgrade in mind.  Sometimes you will have to make difficult choices between what your business required and what your budget permits you to have, and therefore you would have to sacrifice functionality over affordability.  For example, perhaps you were using a firewall in each department to segregate and contain the traffic locally, that's all good if you have the budget for it.  However, if you have limited budget then you may want to look at implementing virtual lan and then firewall each virtual lan to segregate the traffic thus saving the costs of buying dedicated firewall for each department lan.

• ▶ Reply

Permalink Reply by Jake on March 6, 2012 at 4:17pm

Why suddenly pop up? Where have you been?

Lynn Htun said:

I got nothing to add apart from suggesting to you to trial and error.  That's the best way you will learn.  Set up a small test network with whatever equipments available to you. If you make a mistake, you will always remember it because you made that mistake yourself and you wont be doing that again.

Everyone design network differently depending upon the need and requirement of their business or their project.  If you ask them just by showing a network diagram without explaining what your requirements are and what you are trying to achieve, they will end up giving you advices based upon your diagram rather than your requirement.  

The best way to design a network is by first establishing what your requirements are and what your budget for the project is, then design the network based upon achieving these requirements with the budget you have and scalability for future upgrade in mind.  Sometimes you will have to make difficult choices between what your business required and what your budget permits you to have, and therefore you would have to sacrifice functionality over affordability.  For example, perhaps you were using a firewall in each department to segregate and contain the traffic locally, that's all good if you have the budget for it.  However, if you have limited budget then you may want to look at implementing virtual lan and then firewall each virtual lan to segregate the traffic thus saving the costs of buying dedicated firewall for each department lan.

• ▶ Reply

Permalink Reply by Lynn Htun on March 7, 2012 at 11:16am

Been busy taking up a new hobby :-) cos I'm bored with computers and IT in general :-))  Don't worry I'm not here to rain on your parade :-))

• ▶ Reply

Permalink Reply by SoeThi on March 9, 2012 at 11:33pm

Pout Si Photographer :D

Lynn Htun said:

Been busy taking up a new hobby :-) cos I'm bored with computers and IT in general :-))  Don't worry I'm not here to rain on your parade :-))

• ▶ Reply