# Firewall and Network topology help



## alupis (Jun 19, 2006)

Hello, 

we have the need to re-segment our network to impose better security and control over traffic, etc. Currently we are using a "Screened Subnet" firewall topology with a single firewall and multiple interfaces. Currently we have our public services servers out in front of the firewall completely, so they are totally exposed to the public internet with absolutely no control. Everything else is running inside the firewall on the same subnet, including all servers, workstations etc. This is obviously not the ideal setup, but this is how it was engineered back when the company was much smaller, and it hasn't really adapted well to the company's growth over the years. 

We now have the need to better secure a group of workstations since they deal with our customers sensitive information. We want to design the network in such a way that that group is as locked down as tightly as possible, yet still maintain connectivity with our Active Directory setup for user authentication/permissions as well as keep access to several of the servers running on our intranet. This group of workstations needs access to the internet.

Basically We are thinking of using 4 networks, 1 for server network, regular workstation network, secure workstation network, and DMZ for public servers. 

Internet -- 
--Firewall 1 --DMZ with Public Servers -- 
--Firewall 2 -- Server Network, Workstations Network -- 
--Firewall 3 -- Secure Workstation Network

our firewall has extra available interfaces so we could use it to run all the networks at once... but i'm not sure if this is ideal.

Internet--
--Firewall --DMZ, Servers, Workstations, Secure Workstations (different Vlan and different subnet)

Would it be best to use Vlan's and different subnets on all networks to separate Broadcast domains as well?

How best should setup/place this network? We have the ability to use multiple firewall solutions (using something like PFSense or Smoothwall, etc). 

Also, were would be the best locations to place IDPS/sniffers to monitor our traffic... obviously sniff the traffic coming into the firewall from the internet, but should we also sniff each of the networks internally?

So basically we need to maintain AD services, intranet services, internet services, and all at the same time limit the vulnerability of the secure workstations in the event someone broke into the network. And we need to resegment the rest of our network to keep someone who breaks in from having a field day all over everything, but instead be stuck in whatever subnetted network they got into...


----------



## Wand3r3r (Sep 17, 2010)

how many users/devices [servers/pcs]?


----------



## alupis (Jun 19, 2006)

roughly about 25-30 workstations of which 3 are currently in the zone that needs to be secured (however we may have up to 10 in this secure zone during busy season). About 12 Servers of which only one needs to be completely publicly accessible (in a DMZ).


----------



## Wand3r3r (Sep 17, 2010)

I would rearrainge as follows:

firewall1
**** web servers behind firewall with port forwarding not in a dmz
firewall2
**** unsecured lan
firewall3
**** secured lan


this is assuming a single wan link. 

Some will bring in a second wan link for just the web servers. Web servers have two nics with one going to the web and the other going to the corp network via a firewall for administration purposes.

You have no need to vlans or subnets beyond the three behind each firewall. Internal servers should be in the secured lan.

If you want to monitor getting hacked consider setting up a honeypot

firewall1
**** DMZ Honeypot
**** web servers behind firewall with port forwarding not in a dmz
firewall2
**** unsecured lan
firewall3
**** secured lan


----------

