How to set up these servers?

March 5, 2009 at 01:02:33
Specs: Microsoft Windows Vista Ultimate, 2.267 GHz / 3068 MB
Hi!
I have a bunch of computer stuff left-overs from harvesting over time. I've been thinking about learning more about networking, so I'm trying to set up a "secure network", in terms of what has access to what, thus the many servers. I know it's unnecessary and it's too big, I'm just curious to see how it all would work together. Never mind the hardware specifications, firewalls, routers etc.

My question is this: Does it work to set up the network like this? If not, please explain so I may learn and please tell me your thoughts.

Link to image


Explanation:
- The web server, its FTP and the Exchange mail server will be behind a home made proxy server.

- The terminal server will only have access to the file server for storing data from external sources.

- The mail server will be very light in HDD space and archive mail on the file server after a while.

- The users will be connected to Windows server 2008 where they'll get policies from AD, be their DNS and DHCP server. They'll also have their own folders there. The Windows 2008 Server will backup and archive data on the file server.

- All the servers and users will have internet access except for the file server.


Thank you :)


See More: How to set up these servers?

Report •


#1
March 5, 2009 at 07:56:19
That's a pretty good drawing.

You have a nice division of services across available servers. It's always a good idea, whenever feasible, to run different services in different servers so as to reduce load on any one particular server.

This is especially true for a DC. Since you're talking about a Windows based, Active Directory integrated domain, here's what I would recommend two DC's, with the second one configured to provide redundancy. That way should either one fail, the other one can take over without downing your entire domain.

I think you've overcomplicated your network design though. It should go from external into a firewall.

Internet >> Firewall

Behind the firewall would be your DMZ which would contain all your outward facing servers (http/ftp etc) and also your internal network.

so it would look something like:

Firewall >> DMZ
>> LAN

(the LAN connects directly to the Firewall)

Your LAN of course would contain your DC's, internal servers, clients and whatever else you would have in your network that you wouldn't want exposed to the outside world.

LAN >> switch(es) >> servers/clients/network printers etc

If you know your way around UNIX, you could build a firewall using OpenBSD and that could also be your ssh/sftp (I prefer sftp over plain old vanilla ftp any day, it's more secure). The same box could also handle routing.

With regard to what is allowed to connect to what (ie: The terminal server will only have access to the file server for storing data from external sources.) This is not controlled by physical connections, it's controlled by your use of groups, users and the ACL's on shares. This is true for both internal and external access.

The mail server will be very light in HDD space and archive mail on the file server after a while.

You might want to look at a SAN/NAS for this instead of just a server. Whatever you do use is going to need to be on a RAID with a lot of available space.

All the servers and users will have internet access except for the file server.

Since nobody is going to be logging onto the file server locally and using it as a workstation, this is a moot point right. You can avoid allowing it to have internet access by not configuring a gateway address when you do the static assignment of TCP/IP info, but, you will want to update the operating system from time to time so it will be likely that you will want it to have access to the internet. Just control who has physical access to the box and who's allowed to logon locally.


Report •

#2
March 5, 2009 at 12:13:18
Thank you for answering.

... here's what I would recommend two DC's ...
I agree, that wold be a good idea.

I think you've overcomplicated your network design though. It should go from external into a firewall ...
I thought about doing that, but that seems so, well, normal :)
I wanted to see if I could set up a proxy that would pretty much shield everything inside, IP-wise. I want to minimize the risk of anyone finding out about the IP-addresses and more. I thought a good, unorthodox and unsuspected move would be to set up a proxy (combined with a firewall). But that is probably unnecessary. Like I said at first, I haven't drawn any firewalls, switches, routers or anything other than the servers and clients into this drawing, but I can see the point you're making. Perhaps it would be best to "keep it simple".

You might want to look at a SAN/NAS ...
The reason I want to have some kind of access point before entering the file server is to provide a sense of extra security. I want that connection to be made/handled in a secure external environment and that anything uploaded/downloaded will go through this "choke point". Will that be possible or even practical? Perhaps it's to much.

You can avoid allowing it to have internet access by not ...
I was thinking about downloading the necessary updates externally and then applying them manually in the secure environment.


Thanks for your thoughts on this, anything else you or anyone else can give me would be of great help! :)


Thank you very much!


Report •

#3
March 5, 2009 at 13:57:48
I thought about doing that, but that seems so, well, normal :)

LOL

There's a good reason this is a 'standard' design. Security!

What you'd like to do is not what a proxy server was designed to do. Check this definition of a 'Proxy Server' on webopedia for a decent definition of a what a proxy server is/does. Using a proxy server only would likely make your network less secure than more so.

Like I said at first, I haven't drawn any firewalls, switches, routers or anything other than the servers and clients into this drawing, but I can see the point you're making. Perhaps it would be best to "keep it simple".

KISS - this is one to live by when it comes to anything in computing and most especially when it comes to networking. While it may not be as fun or as interesting as making things complex the biggest reason for following the KISS principle is that it makes troubleshooting problems a whole lot easier. The more complex the network, the harder it is to troubleshoot. Since you know you WILL have problems, it only makes sense to make it as easy on yourself as possible to find and fix them when (not "if") they arise.

Also, KISS means less time spent managing and figuring out how to add on to your network.

I was thinking about downloading the necessary updates externally and then applying them manually in the secure environment.

This is definately an option. In fact, if I'm not mistaken........and I may be on this one, as I've been away from domain admin for a few years now that I'm specializing in enterprise networking.......you could setup another Windows based server in your environment to be your "update server" so that it could serve up updates to every other windows based unit in your environment. At the very least, you could download the "network install" version of each service pack as it's released. Of course that means you miss updates and patches in betweem SP releases. In all honesty, it's always a "best practice" to physically secure any/all servers in your environment to prevent access. It's also a standard practice to never allow anyone who's not a server admin to be able to logon to them locally, or do things like update.


Thanks for your thoughts on this, anything else you or anyone else can give me would be of great help! :)

Always a pleasure to help. I can't think of anything else offhand though. My two basic principles of computing/networking are:

1) KISS
and
2) If it ain't broke, don't fix it!

I live by those and they've served me well. Good luck and happy computing! :)



Report •

Related Solutions

#4
March 6, 2009 at 07:54:51
What you'd like to do is not what a proxy server was designed to do ...
I know what a proxy does (not on a technical level though), I wanted for all those servers/users IP to be indistinguishable from one another, like when when a bunch of users connect through a proxy the server does the connections outside and not the actual user. But maybe what I wanted to do, that level, was too unreasonable for a proxy :)

KISS - this is one to live by when it comes to anything ...
I agree completely... normally. The thing is I want to go beyond what's "normal" and really challenge myself with a high-end solution (well, high-end for someone like me :P) thus the overcomplicated network.

you could setup another Windows based server in your environment to be your "update server" ...
That sounds like a good idea, that way I wouldn't have to manually take care of it myself. I could set up a kind of download/update automation schedule for both OS-based updates and maybe even software updates (provided the software developers have such a thing).

My two basic principles of computing/networking are: ...
Wisdom to live and die by in networking, from what I can understand :)


Again, thank you very much for you help! I feel I've learned much more and can improve my network a great deal! :D


Report •

#5
March 6, 2009 at 08:46:33
I agree completely... normally. The thing is I want to go beyond what's "normal" and really challenge myself with a high-end solution (well, high-end for someone like me :P) thus the overcomplicated network.

Where I work we have a very large and complex network. Needless to say it's very "high-end". We don't use anything like what you're talking about.

What we do use is VLAN tagging to separate subnets. So for example our finance department is on it's own subnet separate from all other subnets. If you're not a member of the finance department (be it billing, collections, payroll etc etc) you aren't on that subnet and have no access to it. This means they're separate from the rest of the users and a very real sense as far as access to sensitive data goes.

We also have multiple routers/firewalls which also help us to handle security and separation of subnets/VLAN's.

I'm not sure you can ever achieve the one thing you're trying to do:
"I wanted for all those servers/users IP to be indistinguishable from one another, like when when a bunch of users connect through a proxy the server does the connections outside and not the actual user. "
and to be honest, I'm not at all sure of any real "good" reason to do that. For the most part, the average user (at least all the 'average' users I've run into over the years) wouldn't know how to find out what their own IP address is, much less somebody elses. So to me this seems like a whole lot of work for almost no reason.

Again, thank you very much for you help! I feel I've learned much more and can improve my network a great deal! :D

My pleasure. I hope you get things figured out and working the way you'd like.


Report •


Ask Question