Network Design for a Small Business
by Mike on June 3, 2010 · 6 comments
in Server Management
This image represents a basic network plan for a small company. The goal of this article is to use this image to help describe basic concepts of networks and how they typically constructed as well as why they are designed the way they are. Of course there are many variations to this basic design. Many times the variations depend upon the needs of the company as well as the skills of those who work for the company.
The Gateway connects two dissimilar networks. In this example the Gateway connects the Internet to the LAN and the DMZ which are both on different networks. The Gateway, as is often the case, also performs another function in that it acts as a firewall. The firewall is doing both Nat (Network Address Translation) to the LAN and port forwarding to the DMZ. Note that the DMZ is on a different network from the LAN. LAN
The Local Area Network (LAN) is typically where you will place your workstations. This should be the most secure area of your network as this is where your company needs to protect its data as well as the workstations on the network. Typically the LAN is on a private network, which means that these IP Addresses on the LAN are not designed to route through your Gateway nor on the Internet they are only available on the local network. Caching DNS Server
The LAN has a Caching DNS Server which the workstations point to for DNS resolution. The caching aspect allows the LAN to have faster access to commonly accessed sites as the server will cache this information for future use. The Caching DNS Server is only available to the local network and may be used to provide DNS resolution for the local workstations. DHCP Server
The DHCP Server provides IP Addresses automatically to the workstations, network printers and to the wireless network as people hook up laptops to it. The IP Addresses can be assigned permanently to workstations and printers so that you can map out locations easier. DMZ
The Demilitarized Zone or DMZ is a separate network where the company will keep the pubic accessible servers like a web server, dns server and mail server. The DMZ is used to separate the public servers from the LAN because it much more likely that intrusion attempts will be made on the servers as they have services available to the public opening ports for attack. Te Gateway should be used to minimize the attacks and direct the public access only to the specific services required. For example, the Web Server should only receive traffic on port 80 and all other traffic coming from the Gateway should not be allowed. This protects the Web Server, to a degree, and cuts down network traffic. Web Server
This is where the company web site is located. The Web Server is open on port 80 only to minimize attacks. However, in todays environment there should be a application firewall on the Web Server like Modsecurity. Most servers will be running PHP and MySQL to facilitate websites that are more interactive. This should require an application firewall to protect them properly. DNS Server
Typically a small company will have two DNS Servers located on different subnets to provide backup for their mail and web service if one DNS server is unavailable. The DNS Server should only allow port 53 tcp and udp. It should also be configured so that the general public cannot do recursive lookups, lookups for web services that require the DNS Server to work until it finds an answer. Mail Server
What ports are open on the Mail Server will depend upon how a company has their mail set up. Of course the MTA, Mail Transfer Agent, must have port 25 open so that all other mail can be sent and received. If your company allows web based email or POP3 will determine which other ports are open and if they are encrypted. Bridge
The Bridge is different than the Gateway in that the Gateway typically uses NAT, Network...
Please join StudyMode to read the full document