network plan advice (link to image provided)

[gwu]

I have a Class C address space 205.187.3.0/24 for hosting a bunch of web/email/db servers. For security reasons, I need to subnet it out into multiple networks. Here is a link to an image I have created:

http://novalug.tux.org/temp/network.gif

.
I estimate about 30 servers per subnet. Is this the most efficient setup? Is there a better way? Currently I have one big network and all the servers DNAT to private IPs behind one firewall. After a couple of years I find I would rather do away with DNAT mostly for DNS reasons.

Network A: 205.187.3.240/28
Network B: 205.187.3.128/27
Network C: 205.187.3.0/27

Network A will be used for the entrance to the rest of the network. B & C are the different hosting subnets. In theory this should leave me leftover addresses for additional /27 subnets such as:

Network D(Future): 205.187.3.32/27

This will also leave me enough addresses in Network A if I nee to add more firewalls/subnets(such as Network D). Right now there is really only one router but I will impliment BGP in the future.

Thanks

 

[phannah]

Depending on the level of isolation you're looking for, a Layer 3 switch with each subnet on a dedicated VLAN should do the trick...

 

[gwu]

This solution is better than seperating by firewall?? Can someone please explain/confirm????

One thing I need to do is completly seperate the subnets from each other. If I f#*k up the firewall on one subnet it will not effect the other. The more seperation the better for the clients we have. It seems VLAN might not be enough seperation.

Thanks

 

[lambent]

sound like you're looking for firewall redundancy also...

I think running any HA on your firewalls AND a layer-3 switch connecting the inside interface of the pair of firewalls and other client subnets will work even better.

 

[gwu]

But is VLAN/layer-3 switching what I need? Isnt this question independent of firewall redundancy? What is the best way to seperate the network...phannah said "VLAN shoud do the trick" but that is a little vauge.

phannah also said : "Depending on the level of isolation you're looking for.." What does that mean? The more isolation I want, I should not use VLAN? With VLAN you share the same switch fabric, correct?

There is no contractual obligation for us to even seperate the network. However, I feel it would be in ours and our customer's best interest to do so. The security needs for the some customers are much, much higher than our other customers. Reliability is much more important as well.


thanks

 

[Phobos1821]

With a /27 subnet mask, 30 hosts per network, you get 8 networks for addressing with your class C.

You implimented a /28 subnet mask to gain 14 host networks for your switch / router communications.

Therefore 7 networks of 30 hosts, and 2 networks of 14 hosts to fill the class C.

/27 Netmask
--
205.187.3.0 205.187.3.1 205.187.3.30 205.187.3.31
205.187.3.32 205.187.3.33 205.187.3.62 205.187.3.63
205.187.3.64 205.187.3.65 205.187.3.94 205.187.3.95
205.187.3.96 205.187.3.97 205.187.3.126 205.187.3.127
205.187.3.128 205.187.3.129 205.187.3.158 205.187.3.159
205.187.3.160 205.187.3.161 205.187.3.190 205.187.3.191
205.187.3.192 205.187.3.193 205.187.3.222 205.187.3.223

/28 Netmask
--
205.187.3.224 205.187.3.225 205.187.3.238 205.187.3.239
205.187.3.240 205.187.3.241 205.187.3.254 205.187.3.255

Logically I can see where your going with the design, but what are you accomplishing that would heighten security? I believe you were doing private addressing with NAT, therefore by splitting the hosts into different networks you are gaining some level of security (8 networks versus 1). But nothing has really been done from preventing the 30 servers in one subnet from talking to each other. Sure you have a firewall between the subnets, but with 30 hosts / subnet, you need to do something to make sure those hosts cannot talk to each other within the subnet ( I know as a client I would not like my webserver communicating with other webservers for security ).

I believe the previous poster was saying, why dont you put every 'server' on a VLAN with private addressing (/30 subnet mask, point-to-point, 128 'server' networks), and put ACL's on the router interfaces to only allow communication to necessary servers / gateways and not between vlans. This would isolate the server from all communication between computers that may be on the same public subnet.

 

[lambent]

Tell us your requirement in details and the rationale behind the "separation"

Meanwhile you can take a look at this for even "more separation" within a VLAN.


"Private VLAN"

http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00800e47e2.html

 

[gwu]

I will explain. One subnet would for one customer. they will possible have a large number of servers(web,data,dns,media, etc). Since they are all one customer , they will all go on the same subnet, unless someone explains otherwise. The other subnet would be dedicated to about 10 customers that are very small and we will probably get rid of within the year. One thing that will be shared would be the backup(veritas). I am not set on this design, I am just trying to find the best solution.

In your suggestion, is this what it would look like? Can I stick with public addresses in your solution? I know some people think it is more secure with private but over time I think I would perfer public(at least for publicly accessed serves such as mail and web. I can use private for the backend dbs)


router
|
|
firewall
|
|
router (on a stick)
|
|
VLAN SWITCH
|
|
servers

I am guessing this is what you call "router on a stick". The router is needed for inter-lan communication, correct?

Would the network stay at /24 then?

thanks

 

[lambent]

In this case, stick with your own design will be good enough. I mean the original gif diagram.

This is quite a modular approach. Each customer "block" consists of a firewall, a switch and their own PCs/Servers. If the customer requests more VLANs for their own use then just replace the switch with a L3 switch or a router.

So whenever you have a new customer joining your network, they'll have their own separate firewall to protect from others. This should provide enough security between customers.