Announcement

Collapse
No announcement yet.

Network Design Question for Home Office

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Network Design Question for Home Office

    Hello everyone,

    I need a little help with network design. I have my home office which services only myself, no other employees. I have a server that acts as my DC and DHCP server along with all my work computers that are on my home domain.

    In the next few days I will be setting up a webserver to run from my home office. I know that best security practice would be to setup a separate dedicated broadband account and a separate dedicated network for the webserver. However, this is not possible for a few reasons.

    My question is this, what would be the best network design to keep my future webserver as distant from the inside server? Would the design below work best?

    Modem >> Router >> Webserver >> Firewall >> Local Server and workstations

    If the webserver plugs into the router with the firewall also plugged into the router would all computers behind the firewall be safe? Or if I setup a DMZ correctly could everything plug directly into the router?

    I have never had any formal training on network design so if someone could point me in the correct direction I would appreciate it. I am generally a pretty quick learner so if there are some books or websites I could look at too that would be very helpful.

    Thanks everyone,

  • #2
    Re: Network Design Question for Home Office

    Your firewall should be a PC with 2 NICs running a suitable firewall app such as Zone Alarm Pro or whatever. The network should look like this:
    Attached Files


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Network Design Question for Home Office

      Your web server should have a firewall installed too but obviously this should leave open only those ports necessary for external people to read the web pages, and should allow your internal network access to do whatever it likes. Any rudimentary firewall functions on the router should be looked at and enabled if appropriate.


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: Network Design Question for Home Office

        Originally posted by Stonelaughter View Post
        Your firewall should be a PC with 2 NICs running a suitable firewall app such as Zone Alarm Pro or whatever. The network should look like this:
        I was actually going to use a firebox as my firewall, unless you guys would recomend using a pc instead

        Comment


        • #5
          Re: Network Design Question for Home Office

          Originally posted by Stonelaughter View Post
          Your web server should have a firewall installed too but obviously this should leave open only those ports necessary for external people to read the web pages, and should allow your internal network access to do whatever it likes. Any rudimentary firewall functions on the router should be looked at and enabled if appropriate.
          Obviously the webserver will have a static IP but should it be a part of the domain? Or should I just let it stand alone?

          Comment


          • #6
            Re: Network Design Question for Home Office

            I'd be very hesitant to put any domain members outside of the firewall.
            VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
            boche.net - VMware Virtualization Evangelist
            My advice has no warranties. Follow at your own risk.

            Comment


            • #7
              Re: Network Design Question for Home Office

              Ok so webserver is outside the firewall as a stand alone computer not a part of the local network.

              Thanks for all your help folks!!!

              Comment


              • #8
                Re: Network Design Question for Home Office

                Originally posted by kxcntry99 View Post
                I was actually going to use a firebox as my firewall, unless you guys would recomend using a pc instead
                I don't know what a firebox is, but I'm sure that if you've specced it and it meets your needs it will be fine. Check the relative price over functionality compared to a (Linux based) PC solution though; I say Linux because a MUCH cheaper PC will support a firewall under Linux and perform well than the supportable Wintel equivalent.


                Tom
                For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                Anything you say will be misquoted and used against you

                Comment


                • #9
                  Re: Network Design Question for Home Office

                  ehhh webserver outside the firewall?????
                  Why not placing the webserver into a DMZ??
                  I don't know if the router support any firewall options, because otherwise he's hacked soon...

                  For a cheap firewall solution i would recommend smoothwall.
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: Network Design Question for Home Office

                    If you're using a FireBox, you can get instructions from the Watchguard website (www.watchguard.com) on how to configure a DMZ for your webserver, so it's still sitting behind the firewall, but allowed proxied contact with the outside world. This gives you the best of both worlds, an accessible webserver, which is protected by a firewall. You'll have to play with the configuration to get the best performance with the least exposure, but if you're buying a brand new FireBox, you'll get some free support in setting it up. I highly recommend that you take advantage of it.

                    Scott

                    Comment


                    • #11
                      Re: Network Design Question for Home Office

                      Originally posted by Dumber View Post
                      ehhh webserver outside the firewall?????
                      Why not placing the webserver into a DMZ??
                      I don't know if the router support any firewall options, because otherwise he's hacked soon...

                      For a cheap firewall solution i would recommend smoothwall.
                      I second Marcel's comments. Some other Open Source Firewall/Router solutions that support DMZ with Fire walling on the DMZ would be M0n0wall or PfSensce (Both of which have a lot of functionality and require very little on the resource end)

                      Nate
                      Hope this helps.

                      Nate

                      My advice is provided AS IS, without warranty of any kind, express or implied. Follow at your own risk.

                      Comment


                      • #12
                        Re: Network Design Question for Home Office

                        Thanks for all the help everyone. I think I am going to go the route of the DMZ. I thought that would be the best practice but I wasn't sure about having everything behind the same firewall.

                        The only hangup with the DMZ that I had from the start was this:

                        If someone hacks the webserver, and its behind the firewall, what would stop the hacker from gaining access to the local intranet? If all computers are on the same switch/router behind the firewall even if they are not all on the same domain, can't someone gain access?

                        Comment


                        • #13
                          Re: Network Design Question for Home Office

                          Originally posted by kxcntry99 View Post
                          The only hangup with the DMZ that I had from the start was this:

                          If someone hacks the webserver, and its behind the firewall, what would stop the hacker from gaining access to the local intranet? If all computers are on the same switch/router behind the firewall even if they are not all on the same domain, can't someone gain access?
                          As long as the 2 subnets are different (ex. intranet is 192.0.0.1/24 and web subnet is 192.1.1.1/24) Please correct me if I'm wrong but, I believe the ISO/OSI Network Model standards would not allow it without some form of routing. But by running both subnets over the same switch, an attacker could gain access to the web server, figure out the other subnet, and then assign a second IP to the web server nic and have access to the other subnet because the switch has become a shared medium for the two subnets.

                          In my opinion, I would have to say the best bet is to run a LAN and DMZ subnet, but segment them by having 2 switches or 2 VLANS (1 for LAN and 1 for DMZ). I would then use the firewall to set traffic rules controlling what traffic will be allowed between the 2 subnets and of course what traffic would be allowed into the DMZ form the WAN and allowed out the the WAN from the 2 subnets.

                          Hope this helps in the design decision process.

                          Nate
                          Hope this helps.

                          Nate

                          My advice is provided AS IS, without warranty of any kind, express or implied. Follow at your own risk.

                          Comment


                          • #14
                            Re: Network Design Question for Home Office

                            Come on gang, this is a simple SOHO network where the OP wants to expose port 80 to a web server.

                            Now all the proposed solutions are marvelous but, IMHO, complete overkill for this poor sole. If the OP wants to make a Fortune 500 class setup, great. But if all that is required is sufficient security to prevent a likely hack then putting the web server in the DMZ, etc, etc. is overkill.

                            This situation can easily be handled by any major brand home router (w/ whatever limited FW features it offers). Stick all machines behind the router; map port 80 to the web server; add that Firebox FW as desired; run some kind of firewall SW (the MS Firewall is good enough) on all the machines, and be done with it. Of course, all machines will be patched to current levels regularly and AV / Adware / Malware will be running throughout.

                            Not saying you can't hack this scenario (esp. w/ IIS as the web server but we're at a point of diminishing returns on this one.

                            Now if the OP wants to be a network security guru, then go for it.

                            I'd provide y'all w/ my IP to try to hack my setup (as I've described) but I'm behind a Metro-Area-Network here as I'm fiber connected and the ISP doesn't [know how to] throttle outbound speed. I'm charged 2 euros a day to expose my lower ports to the world thus I do it sparingly. But, I've run this same config for years in both the USA and the Middle East and, although I could see attempts in my router / FW / IIS log, my network has never (touch wood) been compromised.

                            It is my position that the number one way a "reasonably secure" setup is compromised is through opening a bad attachment in an email or running active content in a bad web link (often from an email). That's why we spend so much energy scrubbing emails before they get to the user as users are often less than computer savvy.

                            Looking forward to an energetic response.
                            Cheers,

                            Rick

                            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                            2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                            Comment


                            • #15
                              Re: Network Design Question for Home Office

                              RvalStar --

                              Thanks for the input. Yes, indeed it is simply a SOHO network setup with a webserver. To that end setting up port forwarding of port 80 to the server and firewalls (SW and HW) should be enough.

                              However, since I have already invested in the firebox and since my router is capable of a DMZ I think I will go with some of what was prevously posted, even if its overkill. I'd rather be safe than sorry and I am already 3/4's of the way there.

                              Thanks for all your help everyone, as always the information posted was invaluable.

                              Comment

                              Working...
                              X