Hi, I am new to this forum and wanted to say hi and hopefully get some help. I am trying to set up a my environment for internetworking and am hoping if someone could look at the topology I am thinking on using below was the way to go. Would this way be the best way to solve any connectivity, reliability, network management, and flexibility issues that may have come up?

Are there certain services and software packages needed? I am not really familiar yet with OSI so if someone can help out with that that would be great.

I would be extremely greatful for any help given. thanks a lot.

http://i105.photobucket.com/albums/m207/law2k7/Drawing5.jpg

That looks like a fairly standard basic setup. I notice that you have a DMZ, but I do not see a firewall. I am also curious why you have web, ftp and email servers sitting in the DMZ. That's a fairly standard deployment for the mid 90's. Nowadays, if not specifically needed, it would be smarter to move these behind the router/firewall.

I would also use vlan capable switches and seperate your users and servers logically rather than physically. That way it doesn't matter which switch they plug into and you can control access to the server. Finally, I'd cross connect the switches so that you have a physically redundant path to the internal servers.

Regards,
-Bouncer-

Bouncer,

I have updated my topology to what you suggested but I am not sure if I have it correct. Can you please let me know if it is what you were talking about please. I am sort of new to networking and am trying to learn it as best as I can. I appreciate any time and your help.

http://www.sharebigfile.com/file/2081/internetworkingscan.zip.html

That looks like fine. You may want to try and connect the various servers to both VLAN switches for load balancing and path redundency (provided the servers have more than one NIC card.

Other than that, it looks fairly straightforward to me.

Regards,
-Bouncer-

Is this one location? Or multiple locations?
How large is the LAN?
I agree..I prefer my servers behind NAT...I don't DMZ anything.

oh, I am not familiar with OSI but by setting it up this way and adding another NIC card to load balance and path redundacy, does that set the OSI layering correctly. If someone could let me know I would greatly appreciate it. Also, is there some other things like services or software packages needed? please feel free to let me know.

NAT, Sorry, I am unfamiliar with this term. Please feel free to explain.

TIA

NAT = Network Address Translation...it's what most routers do if running in gateway mode.

Open/forward only the minimum ports necessary to run the service you wish to expose publically. IE...port 25 to your mail server, port 80 to your web server, 3389 to your TS box, etc.

So I should set servers in gateway mode and run NAT on each? Like I said I am just learning networking and I want to learn as much as possible and appreciate any helpful hints and suggestions. The topology I used in the previous Post is there any diiference in a gateway topology? I will post another setup given by Bouncer in a bit if you guys could take a look I would be most thankful.

TS Box??? Please explain if you don't mind.

Here it is please look when given the chance

http://www.sharebigfile.com/file/2135/internetworking2.zip.html

tia

Okay.. let's take a moment and back up.

OSI stands for Open Systems Interconnect. It is a LOGICAL model that breaks down networking into functional groups. As in, physical (wire, electrical) stuff is at layer 1, versus software applications (word, excel IE or Firefox) at layer 7.

The reason for the OSI model is so that vendors of whatever do not have to worry about layers far a way from their own. For instaance, the NIC vendor uses a set of industry standard electrical protocols to move data onto the wire and retrieve it from the wire. It does not care at all what that data is. It only concerns itself with what is happening at it's OSI layer.

Just so, all the other layers act in a similar manner (more or less) allowing software application vendors to use standard code to get or send data to another system, and they do not care how it actually happens down at the physical layer (or any other layer).

I explained that, because it sounds like you're a bit confused about what the OSI layer is, and what it does.

NAT, or Network Address Translation, is a tool used to put many private LAN pc's behind one public address. The reason for NAT is to conserve public addresses which can be difficult to get. One of the byproducts of NAT is an added layer of security. NAT, acts sort of like a switch board with extensions. Everyone calls the same number to reach the office, but individual people have specific extensions off of the main number. Just so, NAT assigns a port ID to every request outbound to the world from an inside PC. Any return traffic has that port address attached, and NAT then routes it back to the correct inside PC. These ports are opened and closed as needed on a more or less random basis. Which means that an attacker would have a more difficult time trying to get through if you hadn't opened a direct connection to him first.

The point is, you run NAT on the router connected to the world. And you run private inside addressing which is not routable. The reason for this is two fold. One, it protects you. If your PC somehow gets connected to the outside world directly, no OTHER router will route your traffic, because they know the inside routing numbers are forbidden to be routed. Two, it also allows you to set up your networks and subnetworks as you see fit and you don't have to be as conservative about addressing space. There are three groups of numbers which are not routable and reserved for internal network use only. For your purposes you'll want to use either the 10.0.0.0 networks, or the 192.168.0.0 networks.

As to the pic itself, it's now closer to what you want. I'd clean it up a bit, but functionally, it's basically correct. You have a redundant path for all of your primary internal servers and you've moved servers which don;t need to be in the DMZ out of it and behind the firewall router which gives you greater control and more security. Note, You may still end up moving the web server back into the DMZ, but that's a 50/50 decision based upon how much traffic from the outside world it actually sees. There are pluses and minuese to every deployment scenario. From a design standpoint, you really need to decide how the servers are being used, as that determines their security posture and whether they can remain tucked away behind a firewall or need to have some public exposure. Make a list of questions and hand them out to the office to get answers.

Questions like:
What do you want out of the network?
What isthe most critical part of the network to you? (web access? Email? Database access? etc)
Do you do a lot of work from home or on the road?
How do you secure your system?
How do you log into network resources?
What Anti-Virus do you run?
What Anti-Spyware do you run?
What IM programs do you run?
Do you do a lot of collaboration and shared whateboard or text/voice chat?

These are starter questions designed to help you figure out what the users are actually doing. You might find out surprising things which may affect the design.

Regards,
-Bouncer-



Regards,
-Bouncer-