Dual WAN + Dual LAN Network Design suggestions
We're setting up the infrastructure at a new building at work.
This post is in a manner double checking that I'm doing this right so to speak. If you feel that things could be done in a better way then please speak up as I'd love to hear about it.
I've attached the topology diagram. The diagram uses the Red Orange Blue Green networks to describe Wan DMZ Lan and Wireless Access respectively.
Quick description of the network:
We have 2 WANs, 4Mb + static IP and another is 2Mb. Work is also divided into 3 subnets, one grouping the "employees" and the second is for the "managers" and the third grouping the local green network resources. The managers network (Subnet 1) is small comprising of about 5 PCs of light internet users but due to historic issues, need the a reasonable speed (in the part of the world where I work, 2 Mb is pretty good) and they are the only ones that will connect on this WAN.
The second subnet comprises of about 20 PCs.
The third subnet on the green side comprises of servers that have little to no interaction with the world outside; the Bacula backup server and a FreeNAS. In the future, we might implement a remote dump of the differential backups made on a nightly basis. There are also 2 network printers that are not on the diagram included in this subnet.
The DMZ contains the following servers:
1. The Web server hosts the websites and portals; Access is from both sides of the firewall.
2. The CCTV DVR which records the surveillance cameras outputs and needs to be able to be accessed by specific members of the domain from both sides of the firewall.
3. The Exchange email server which is doubled up with the W2K8 local DNS + AD PDC (I don't like exposing this in this way). Exchange email needs to be accessed from the red side of the firewall via OWA.
I do have some question:
1. if we harden the W2K8 server and only open up the ports needed by OWA, could I consider the PDC secure?
2. How would PPTP VPN work in this case? (Only some managers and System Administrators (on subnet 2) can VPN)
3. If the remote dump is implemented, there would be no need to alter the rules save to allow the computer performing the remote dump access to the internet (but of course not to be accessed), right?
Blue side computers have no access to the local resources but can only access the internet via Wan1.
Thanks in advance!