Re: Advice needed for network planning (Firewall, Proxy, DNS, DHCP, SMB, FTP, HTTP, SSH, VPN)
- From: David Brown <david.brown@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 23 Sep 2007 01:24:13 +0200
Tom wrote:
Hello folks!
I am administering a small Network with some Linux boxes as servers and some Windows based clients.
Now i am thinking about expanding this network with some additional features.
The purpose of my thread is, to get some advice of you guys on how you would set this whole thing up, concerning the architecture of the network.
************
For the moment the network looks like this:
1. Linux box with 2 NICs:
- Firewalling between NIC1 (Internet Modem) and NIC2 (LAN)
- DNS
- DHCP
2. Linux box:
- Samba, being the fileserver for the network as well as the PDC and WINS
3.-7.: Windows clients
************
Now my situation is the following:
- I want to add the following servers:
- FTP
- HTTP
- VPN having access to the windows domain of samba
- Proxy
- I have 2 further PCs at my disposal (ranging from 400MHz to 850MHz)
My question is, on how I should design this network to make most sense in terms of security and network logic. For instance a question would be if I can set up the Proxy on the same box as the firewall with it's two NICs, or if I should move it to a sperate PC having also 2 NICs, and to connect it's NIC1 to the firewall and it's NIC2 to the LAN.
For instance: Does it make sense to do the following:
DSL----(NIC1)[Linux1 being Firewall](NIC2)----(Nic1)[Linux2 being Proxy](Nic2)----LAN
on the LAN-Switch connected:
- Linux3 being: HTTP, FTP, DNS, DHCP
- Linux4 being: SMB PDC
- 5 Win clients
or is that much to complicated and overkill?
How would you design the network with the given hardware?
Where would you place the VPN-server which should have acess to the shares on the SMB-fileserver?
Could I still pass via SSH from internet to the Linux boxes everywhere?
Thanks for any idea
Tom
One thing to consider is to use virtual servers, especially a light-weight virtualisation solution like openvz or linux-vserver. I've got a machine at the office with openvz - using a simple script, I can set up a new machine with a minimal debian installation (32-bit or 64-bit - they can be mixed as long as the host is 64-bit) in a couple of minutes. If I decide I've made a mess of the setup of a particular service, it's only another couple of minutes to delete the virtual server and start again.
Keeping things in virtual servers has three big advantages that I see. One is security - you keep your services separate, and any break-in on your http server (for example) does not affect your other servers. Since the openvz guests don't have any valid login users (even root can be locked - you can enter the guest from the host), they are more difficult to exploit. Secondly, you have scalability advantages - you make good use of a modern server PC, and when it starts to get stretched, you can migrate some of the virtual servers onto a new machine. The third big advantage I see is that with services running on separate virtual machine, each virtual machine is kept much simpler and cleaner, and can be updated separately. If one service requires Python 2.4 or above, and another won't work with anything newer than Python 2.3, you've got no conflicts when they are on different virtual servers.
mvh.,
David
.
- References:
- Prev by Date: Re: Network packet loss possible inside the linux kernel?
- Next by Date: Re: Kermit - How do I escape to a local kermit from a telnet session?
- Previous by thread: Re: Advice needed for network planning (Firewall, Proxy, DNS, DHCP, SMB, FTP, HTTP, SSH, VPN)
- Next by thread: Re: Advice needed for network planning (Firewall, Proxy, DNS, DHCP, SMB, FTP, HTTP, SSH, VPN)
- Index(es):
Relevant Pages
|
