No announcement yet.

Please Help me to plan a physical Network Design

  • Filter
  • Time
  • Show
Clear All
new posts

  • Please Help me to plan a physical Network Design


    Please have a look on this setup. This is my current setup.

    Now I want to do some changes in current network setup because of some security issues. want to do something like this...

    1. will be using same CISCO DSL Router for connecting to Outside World.
    2. Put two firewalls
    3. First Firewall will be Netgear Firewall
    4. Second Firewall will be CISCO ASA 5505.
    5. Create DMZ Network

    Planning to Put following Server in DMZ Network
    1. Wingate Proxy Server
    2. Web Service Server

    Do I have to take out DMZ servers from my domain ?

    1. Web Service Server
    This Server talks with web site which is hosted with an ISP and This server needs to talk with Database Server in my internal network.

    2. Mail Server
    Currently E Mail Server is receiving and sending mails through wingate proxy server and None of the users access their emails from outside world so I think there is no need to put this server in DMZ.

    3. DNS Server

    Requirement : Wingate Proxy Server can also act like as External DNS Server. AD Server will be internal DNS Server.

    Currently I have Active Directory configured in my internal network . On client side I want to configure Active directory server as DNS Server and Internal Active Directory can serve all request but for all other queries it can forward to Wingate Proxy server which can handle all DNS Queries. Active Directory server should not contact outside DNS Server directly. How Can I do that???

    Please suggest me where can I put my proxy server? Should it be the part of DMZ network or my internal network.

    Manoj Kumar

  • #2
    Re: Please Help me to plan a physical Network Design

    First of all - few questions to ask before suggestions:
    1. Why You want to use 2 firewalls one-by-another?
    2. Email server is used by internal users only, but it also MX-record SMTP server opened worldwide or it receive email messages from MX-record published ISP mail server?
    3. What You mean by External DNS server - You should hold some domain Worldwide on Your servers? Or from this server You plan to send DNS queries from inside to outside networks?

    Now regarding the future plan
    I prefer the following config:
    ===Cisco DSL router===
    ===Cisco Firewall=== <- LAN should only allow ports that needed by Wingate server in , and DMZ - is only WEB server
    ===WinGate server=== <- as I see - currently have 2 NIC - outside connect to Cisco, Inside - to Netgear firewall
    ===Netgear Firewall===
    ===Cisco Switch===
    ===LAN+MAIL+AD+Internal DNS with forwarders to WinGate server===

    This way will help You with minimum configuring of current services have more secure environment.
    So - Inside Mail work from LAN throw WinGate server. I think it better to remove WinGate server from AD and configure it Stand-Alone. Also WinGate should be configured to proxy all Internal-External traffic and SQL queries from WEB server. In case You want to prevent AD server from running DNS queries - then configure DNS server on WinGate server.
    DMZ - Web server should be allowed access from internet to needed ports, also removed from AD. SQL queries allowed to enter WinGate server and then - filtered (IDS, maybe) and enter the SQL server.
    WinGate - should proxy also incoming traffic (WEB SQL queries & incoming Mail messages), outgoing messages and Web traffic, so You can monitor all incoming\outgoing traffic.
    Denis Laskov