Networking Question

[Scootin159]

I'm no networking expert, but am trying to maintain a quickly growing network at our small office. We believe we have a rather simple 'flaw' in our network, but are unsure what the 'fix' is. We're willing to buy whatever hardware we need, but don't know what that is.

We have a T1 line, which allows us the public static IP range: 216.#.#.144/29. We then have this tied into a simple "residential-grade" switch ("the switch").

One port of "the switch" goes into a Linksys WRT54G router ("LAN" side - 192.168.30.1), which then has one of it's "LAN" ports connected via a xover cable to the "WAN" port (216.#.#.146). We are using the WRT54G as a local router, managing all WAN traffic, which is sent through the router (192.168.30.1) to our WAN gateway (216.#.#.145).

"the switch" then has two ports going to two other switches in different parts of the building, each hosting public ips (216.#.#.#) and private ips (192.168.30.#). It also has a few (3) local devices tied into it (192.168.30.#).

-----------------------------------------------------------------

What we are wondering is:

1) Is there a security concern with having our private ip traffic and public ip traffic essentially all tied into the same switches?

2) What equipment do we need to replace "the switch", which will allow us all the routing we currently have, yet can be more secure?

 

[Crusty]

Your problem is using consumer gear in a business setting. Get a real firewall that supports multiple WAN IP's and can do 1-1 NAT. You should have all public serving devices on a different network segment then your private computers, usually a DMZ zone with a firewall in between the DMZ and your private network. With a proper firewall, this can all be configured fairly easily. I won't recommend any products simply because I've only had experience with Watchguard firewalls so I can't compare them to others, but i'm sure one of many devices from Cisco, Watchguard, or Sonicwall will do the job.

 

[Slowlearner]

Some more info on your network would be useful like:

1. Server/client set up - total number of users
2. Are you hosting a web site/email/ftp site
3. OSs used
4. What do you mean by other switches hosting public ips?
5. Are you using static ips?

Normally the T1 Box would connect to a central switch, that could be a simple unmanaged switch, that provides network connectivity to all pcs connected to it. What function is the router providing? Why is it even needed?

This looks like an adhoc network that has been expanded as needed, but may now require to be re-worked.

 

[Scootin159]

We used to have something similar to that:

T1 -> <DMZ switch> -> WRT54G -> <private network>

We then had all our "public" devices plugged into the "DMZ switch", and all our "private" devices plugged into the "private switch".

The problem we ran into was that we had equipment that needed to be physically located on "private network", but logically needed to be on the DMZ. We wanted to avoid having to double all our network infrastructure (running a 2nd set of cables to all physical locations, with a second DMZ switch at each), so the simple solution was to essentially put a jumper cable between the "DMZ" and the "private" network.

We're not using the residential hardware because it's what we feel is the best solution, it's just because it's what we had lying around. We are interested in getting "business class" equipment, but aren't sure what equipment we need.

Ideally we would have (bold is items we're looking to replace)

T1 -> <DMZ switch> -> **DEVICE** -> (all below)
-> <private switch> -> a few private devices
-> WRT54G (for 4 or 5 WiFi clients)
-> <long cable run> -> <unmanaged switch> -> public & private devices
-> <long cable run> -> <managed switch> -> public & private devices

What I'm wondering, is what type of "device" am I looking for to fill in the "**DEVICE**" location and "unmanaged switch", that would allow me to have separate private & public networks - yet have devices from each plugged into the remote switches, but not have to duplicate the "log cable runs".

Would replacing the unmanaged switch with a managed switch allow the two "seperate but joined" networks? What's the "feature" I'm looking for here?
Is it inevitable that we'll need to duplicate the cable runs?

 

[drebo]

One port of "the switch" goes into a Linksys WRT54G router ("LAN" side - 192.168.30.1), which then has one of it's "LAN" ports connected via a xover cable to the "WAN" port (216.#.#.146).

Your main problem seems to be this right here. The way you tell it, it sounds like you've got your LAN network segment working in two subnets (both the public 216. and your private 192.168.30.0/24). That's bad.

Your best bet would be to hire someone who specializes in network design to come and implement this for you and bring all of the appropriate hardware.

What I would recommend, however, is to do this:

1) Buy a Cisco ASA5505.
2) Connect it like this: ISP's T1 Router should connect directly into "outside" interface of ASA5505, "inside" interface of ASA5505 can be connected into your network of switches.
3) configure overloaded dynamic NAT for all of your inside clients
4) configure static NATs for any devices/servers that need them (you can do this in a DMZ if you want, but you probably don't need to)

Again, I recommend you hire someone to do this for you.

Your main problem is that your network diagram has your public network on the same physical segment as your private network. That's not good. For your purposes, you would be best served using static NATs to allow public access to those servers and devices that need it.

 

[Scootin159]

Originally posted by: Slowlearner
Some more info on your network would be useful like:

1. Server/client set up - total number of users
2. Are you hosting a web site/email/ftp site
3. OSs used
4. What do you mean by other switches hosting public ips?
5. Are you using static ips?

Normally the T1 Box would connect to a central switch, that could be a simple unmanaged switch, that provides network connectivity to all pcs connected to it. What function is the router providing? Why is it even needed?

This looks like an adhoc network that has been expanded as needed, but may now require to be re-worked.

Using this diagram (and the reference points in it):

T1 -> <DMZ switch> (A) -> **DEVICE** -> (all below)
-> <private switch> -> a few private devices (B)
-> WRT54G (for 4 or 5 WiFi clients) (C)
-> <long cable run> -> <unmanaged switch> -> public & private devices (D)
-> <long cable run> -> <managed switch> -> public & private devices (E)

1) we would have:
point A: nothing really, yet
point B: just a few private devices (phone system, etc.)
point C: just a few wifi clients
point D: 20-25 workstations with private IP#'s, 2 of which ALSO have public static IP#'s, a few other devices w/ private IP #'s (printers, etc.)
point E: 5-6 servers, some with public IP#'s, some with public IP#'s, some with both

2) Yes, point E has numerous public services on it (HTTP, FTP, VPN, etc.)

3) Server's are about 50/50 of windows & linux, workstations about 90% windows

4) We have machines on points D & E which need public IP#'s

5) Yes - all public IP#'s are static, some local IP#'s are static, some are dynamic. We are running our own DHCP and DNS servers (linux servers).

You're right in that it's pretty ad-hoc, and has been pieced together over time. At one point it was just a few PC's using windows internet connection sharing to share a 56k modem. It's grown a bit since then.

 

[Scootin159]

Originally posted by: drebo

One port of "the switch" goes into a Linksys WRT54G router ("LAN" side - 192.168.30.1), which then has one of it's "LAN" ports connected via a xover cable to the "WAN" port (216.#.#.146).

Your main problem seems to be this right here. The way you tell it, it sounds like you've got your LAN network segment working in two subnets (both the public 216. and your private 192.168.30.0/24). That's bad.

Your best bet would be to hire someone who specializes in network design to come and implement this for you and bring all of the appropriate hardware.

What I would recommend, however, is to do this:

1) Buy a Cisco ASA5505.
2) Connect it like this: ISP's T1 Router should connect directly into "outside" interface of ASA5505, "inside" interface of ASA5505 can be connected into your network of switches.
3) configure overloaded dynamic NAT for all of your inside clients
4) configure static NATs for any devices/servers that need them (you can do this in a DMZ if you want, but you probably don't need to)

Again, I recommend you hire someone to do this for you.

Your main problem is that your network diagram has your public network on the same physical segment as your private network. That's not good. For your purposes, you would be best served using static NATs to allow public access to those servers and devices that need it.

We'd prefer not to hire anyone, if for nothing more than we want to understand it's inner workings, so that we can "upgrade" or "modify" it however we want in the future, on our own.

What you're describing sounds like it will work, but is a new idea to me. Are "static NAT's", basically a setup where all our servers (public or private) would have private IP#'s (192.168.30.0/24), but then the "NAT" would map "216.x.x.___" to "192.168.30.____", so that any outside traffic sent to the public IP # would magically be sent to the correct corresponding private IP#?

I'm plenty familiar with using the WRT54G's "port-based" NAT forwarding, this sounds like much the same thing, but is "IP-based", is this true?

 

[drebo]

Yes, a NAT is a network address translation. Basically, your router/firewall/whatever takes an incomming IP address and "remaps" it to another IP address. It's a bit more technical than that, but that's the jist of it.

On a Cisco ASA, you have quite a bit of flexibility as far as NAT goes. On the WRT54G, you can only have a single public IP address, and thus everything inbound to that WAN connection can only be redirected in one way...basically, you have one IP address and you can say "for this port, I want it to go to this computer". With a Cisco ASA, you can say "for this port on this IP address, I want it to go to this port on this computer, but only if it comes from this source network".

Now, obviously you probably don't need something that elaborate. The Cisco ASA will allow you to have multiple public IP addresses and NAT them in many different ways. So, you can say "I want all 192.168.30.0/24, regular traffic to go out 216.x.x.145" -- that's your dynamic NAT. Then you can specify "Internal IP 192.168.30.23 should be mapped to external IP 216.x.x.146", for instance. Internal computers will access that computer as 192.168.30.23, while external computers will get to it from the 216.x.x.146 IP address, never being the wiser.

On top of that, it's generally considered bad practice to put a server directly on a public network. Using NAT, I can mask it and only provide access to those ports and services which I deem necessary for the public to access (you can do this without NAT, too, but that's a topic for another story).

So, my recommendation stands as it was in my last post. Get a Cisco ASA and configure your NATs. That'll consolidate everything, so you're not routing the public internet all over your private network, and will give you one centralized point of access to all of your resources.

Edit: Also, about not hiring someone because you want to be "in the know" about all of it...any self-respecting network tech would give you a detailed report of exactly what he's doing, as well as the access passwords for any equipment he installed. Just saying

 

[kevnich2]

I second this vote, you need a business firewall. Look into a sonicwall TZ170 (I believe), You hook your T1 into the WAN of the firewall and then hook a larger switch into the LAN of the firewall. You then configure the 1 to 1 NAT going from whatever public IP you want to whatever the private IP is so that ALL machines are still going through the firewall. If you have a connector between the private network and the public, that does you no good whatsoever??? The private network is to keep unwanted traffic (viruses, network scans, hackers, etc) out of your network. You really need to just hire a small business consultant to come in and redo this stuff for you and get it setup the correct way. The topology you want is this: Telco Dmarc > T1 CSU/DSU > T1 router > Sonicwall TZ170 firewall (or whatever business firewall you want > Large Switch > ALL network computers.

 

[Scootin159]

That sounds like a great solution. Now to throw a monkey wrench in there... do you know what equipment besides the Cisco ASA has similar functionality? What has good reliability, easy configuration, etc?

Most of the equipment I've seen is flaunting features like VPN's, mail filters, web filters, etc, none of which we're interested in (we already have all of those that we need setup in other equipment). Really all we need is the advanced NAT functionality you mention, the rest is just a waste of $$$ and extra complexity. We also only need T1-spec throughput (1.5Mbps), 4 static NAT users, and probably 100 dynamic NAT users.

Also, something with an internal 8-port gigabit switch would be great - we're trying to upgrade our network to gigabit levels while we're at it, and if we had an 8-port hub at that connection point, we could save having to buy an additional piece of hardware.

 

[drebo]

Sonicwall, Draytek, a Cisco 800-series router, Watchguard...Tons of people make them.

I recommend the Cisco ASA for two reasons...#1, I'm a Cisco guy, it's what I'm certified in, it's what we use, and it's what I'll always recommend...and #2, it's readily available and has all of the features you need without having to pay for support. Sonicwall will pretend you don't exist if you don't have a support contract.

Also, I've always found Cisco equipment to just plain work better than the competition. We've got a router here going on 3 years of uptime. Besides, they're not really THAT expensive: http://www.newegg.com/Product/...x?Item=N82E16833120076 . For the lack of headache you'll have after you get this up and running, it's definitely worth the extra $100 over the Sonicwall. And Cisco's ASDM is a very nice interface.

This device does have an 8-port managed switch on it, though I wouldn't recommend using it. You'll want to get a separate gigabit switch. You won't find any business-grade equipment that has an integrated gigabit switch anyway.

 

[JackMDS]

http://www.sonicguard.com/defa...&keyword=sonicwallsoho

 

[Slowlearner]

Ok I see what the WRT54G is for.

While I tend to agree with you about understanding what does what - because I have been fed mis-information too many times - in your case a VAR might be able to help you select the hardware combination that suits your needs. I think a business class router and a managed switch combination could perhaps help you set up a more robust and secure network. But there too many unkowns for us to suggest the best option.

So pick a vendor - say Linksys - and find a local VAR to take a look at your set and suggest what hardware you need.

 

[Scootin159]

When they say "10 user" or "25 user", what are they calling a "user"? Is that "machine's", as in private ip addresses, or is that solely for the built-in VPN software? If we have no intentions of using the VPN or "deep-packet" filtering software, only the NAT stuff mentioned above, is there any reason for us not to just get a "cheap" model like the Sonicwall TZ150?

 

[drebo]

My personal experience with Sonicwall equipment is that it's terrible. Half the time it just plain doesn't work. And forget about trying to use SIP through it.

When something says "10 users" or "25 users", they're generally referring to the number of simultaneous static and dynamic NAT translations. So, a 10 user license means that you can have 10 simultanous NAT translations at a time...so, you can technically have as many PCs behind it as you want, only 10 at a time will get internet access.

 

[RebateMonger]

If your company insists on having somebody inside with competency in this area, then how about the following plan:

Bring somebody competent in to design and securely implement an "industry standard" solution. Have her/him document what is done. This will give you an efficient and safe network that will keep your business from being "owned".

Then, have somebody (presumably, you) begin a formal training plan to acquire competency in network and server configuration. This isn't something that can be acquired by asking a list of questions on a networking forum.

The "problem" with this plan is the cost (in time and money) of acquiring these skills. Unless they are going to be used all the time, you may find it much cheaper to just bring in an outsider as needed. You don't have to pay for his/her training, benefits, vacations, and retirement.

 

[kevnich2]

You REALLY need to hire a networking technician to come in and take care of this. Your comment about wanting to know the inner workings, he can guide you through what he's doing, give you recommendations, and when he's done, give you all the paperwork, everything for it. If you have questions later, he's basically your point man. Unless you yourself are certified and have done networking for many many years, get someone who knows what they're doing. That's what they're there for. Once your network is up and running the way it should be, unless a problem happens, you shouldn't have to worry about it much after that. But you not knowing the very basics of a lot of this technology, this isn't something you can just pick up a book and learn in a week. Small business network consultants do this very thing every day, that's why companies pay them. Listen to everybody on this, we're all saying the same thing, there's a reason for it. As rebatemonger pointed out, what's the point in having someone in the company learn these skills if they're not going to be used everyday. Hire someone to come in and do this, please.

Also, as others have pointed out, your basically trying to take home based network equipment (and knowledge) and apply it to a business. This is why your having problems, a business requires more stable hardware, that's why it's much more expensive. Home based networking knowledge is also very different. This is also why there are small business consultants, they're trained and certified to handle the needs of small businesses that need business equipment but can't afford the equipment that fortune 500 companies can and don't have the internal IT staff to manage it.