I have a project I am currently planning; it is for my business/home network. The project is pretty involved for a SOHO network. I'd like to get some input, advice, recommendations, etc.
Much of the project is in place and functional; but I am completely revising it to add Gigabit LAN and some legacy Cisco gear for L3 routing / L2 switching to the WAN and to isolate my business.
Most importantly of all I am building my first NAT/Firewall (Multi-homed PC), my first DMZ, my first Linux Mail Server; my first RRAS/VPN; my first Authentication Certificate Server; my first Privilege/Authorization server; my first NSM (all of which will run in the DMZ). I’ll be running DHCP services so I’ll need relay agents, configured appropriately, etc.; and, at some point I'd like to begin hosting my own web site (though the trade-offs may not work for me...I am still not sure about this one).
This project will be mostly complete within the next 21 days, though certain components will develop over the next 12 months. Much of it is so I may serve my customers; much of it is for certifications; much of it is for personal home use.
I am doing this while serving my clients, studying, and trying to enjoy life a bit.
§ 1 Cisco 1700 Router
§ 1 Cisco 2600 Router
§ 1 Cisco 2900 XL Catalyst Switch
§ 1 Linksys SRW 2008 Gbit 8 port Switch w/ mini-gbic uplink
§ 3 Linksys EG005W Gbit 5 port switches
§ 1 SMC 2804WBRP-G Barricade F/W
§ 11 Servers (each with multi-disk; multi OS configs: all x86; multiple versions of Svr2K8; Svr2K3; XP; Vista; debian; slackware; fedora; Redhat; Centos; SuSE, Solaris, free BSD)
§ Four clients (home computers)
§ Two network printers (one photo; one tri-color laser)
§ A photo scanner
§ PDAs (wireless and direct)
Three French Hens
Two Turtle Doves and
A Partridge Family Greatest Hits Album
I want to achieve:
§ Full Gigabit Backbone for the LANs; 802.11g for the wireless (WPA and Mac filtered: large omni-directional antenna already in place and functioning well)
§ Fast Ethernet for Routing beyond the LANs to the WAN interface; /30 subnets for all routers)
§ Entertainment: 2x homegrown multi-head DVR servers; Linux with Myth TV, will Backup/Retrieve to/from SAN (only one disk inside for the OS)
§ SAN: 2x homegrown Linux towers; 11 disks ea., 5.008 TB (10x 500GB; 1, 80GB) RAID 1+0
So, anyone up for helping me mix and match this menagerie of “GRRRR Animals?”
I have some direct questions I will ask right up front. My first one is this:
Question: If I multi-home a PC to make it my firewall. It must be absolutely secure. I know I can assign multiple IP addresses to a NIC; therefore, I would like to assign the WAN address to the WAN NIC but I’d also like to assign a /30 IP address to that NIC, as well, for routing to the LAN NIC which will also be a /30 IP address, the only other device on that same subnet.
1. Would doing this allow the box's routing function to operate properly?
2. Would doing this compromise the security of the firewall or the network, in any way?
Thank you in advance for all of your suggestions and recommendations.
The only thing I'd put in the DMZ would be the servers that people need to access from the Web. For a small office, everything else can reside on the same network.
Depending on your wireless security concerns, you may also want to put the wireless on a separate leg of your firewall, but if you are using WPA2 for wireless encryption, this may not be necessary as the standard is robust so far.
Keep the network as uncomplicated as possible at the beginning with most servers and PCs on the same network. (except for the DMZ). That way you have one less thing to troubleshoot.
As your confidence grows, consider network segmentation. You could make this part of your 12 month set of goals.
Keep the IP addressing simple for your firewall. Use the subnet provided by your ISP for the WAN NIC, and use /24 networks for your DMZ and SOHO networks. Routing from a /30 to a /30 isn't required. As long as you enable IP forwarding (routing) on your server, with NAT too, your access to the Web will be fine.