Advice on Novice Net Map

[Akusei]

Hello everyone.. I am a novice at network administration (at least I consider myself a novice), and I would like everyone to take a look at this network diagram I put together. Please let me know what you think and please be brutally honest. Let me know if it looks like a well thought out and planned network design or if it's crap and what I should do to make it better. Also, is my Perimeter (DMZ) network too large? Thank you everyone for you input.

link to image:

http://www.webillcards.com/netmap.jpg

Best Regards,
Nathan Martini

 

[rn4it]

Well, I'm not sure if this is a diagram of an existing network or one in the makes. In viewing the diagram, which you should never put in an unsecured area.

Why have 2 router/FW that handle the VPNs, why not have the VPN point to the main FW? Also your diagram show's 2 FW's 1 between internet and dmz, the other between internal and dmz, I hope that these 2 FW's in the diagram are a single FW cluster. The one router/FW has an ISDN device, if you're going to keep it in the diagram have the connector go from the VPN T to the ISDN box. Do you have 2 router/FW for the VPN's or are they just a single device wtih 2 types of connection (ie ISDN,Frame)? If this is the case I would diagram it as that a single device with multiple connections and label the connections.

You will probably want to have a few versions of each diagram, pending on who wants to view it. For example we have 1 version that is for Net Services it is a very percise document with everything label (IP's, DLCI's, circuit numbers etc), then one tamed down for the Support Desk (device IP's) and one for general usage (mgmt, consultants, developers etc)

hope this helps, when designing always make it as simple as possible. It means you'll have less devices to monitor and maintain.

 

[Akusei]

Well, I appreciate your advice and hope to get more of it! The reason for 2 VPN routers is because 1 is mine and the other is a 3rd party company, being that it is their router, they want to use it and they won't let me modify it, so VPN T stays the way it is.. There's no way around that.

The firewall between the internet and dmz is actually a router with a firewall on it. The main reason I don't want to put VPN O and VPN A on this router is for traffic reasons, I will have a ton of traffic running through the internet/dmz firewall as well as the VPN O and A router.

Do you think it would be better to make all VPN connections plug into the internet/dmz router? Do you mean for me to keep all 3 routers and plug the 2 vpn routers into the internet/dmz router or get rid of the 2 VPN routers and add WAN ports to the internet/dmz router and have the VPN branch from there? Would only having the 1 router cause a bottleneck?

I REALLY appreciate the reply, thanks.

Best Regards,
Nathan Martini

 

[rn4it]

Hey Nathan,
NP, See what I was thinking was if it's possible, take the 2 Router/FW combine them bye using (VRRP/HSRP) this way you'll have redundancy, as well it will be easier to manage, maybe even drop one connection and increase the other or keep it as a failover connection. Since I don't know what equipment you own or what you can/can't do, I have to guess.

I would take the VPN A O router, and if possible setup as a redundant FW router (either DMZ/int or DMZ ext) which ever is the most important. Get the VPN's pointing to the FW (Ext/DMZ) take the freeup lines and put them as redundant lines on the Internet router.

By combing some of your services you can build up some redundancy for an iexpensive price.