Network design questions



  • Hello,

    I have designed four different network layouts.  The network shows a colocation and my office connected both to the Internet.  The systems at the colocation facility serve as web servers with some ftp and scp access.  There is a need for at least one other service system to do things such as dns, email relaying, etc.  I expect no incoming internet access to this system.

    The dmz lan is an rfc1918 lan and firewall A uses VIP addresses with a 1:1 nat into the systems in the dmz.

    I also need there to be a vpn between my office and the colocation network.  This vpn would allow me complete access to the systems on the network.  I just wonder which network design is better, and/or if there is some sort of best practice I could use.

    Drawing number one is the current network: in theory, the firewall rules allow only web traffic and the ipsec vpn to terminate.  However, I need some sort of Core lan, that would allow things such as backups, nfs mounts etc.  I hesitate to use the dmz lan for this, even though it's "firewalled", thus drawing two:

    Drawing two is another idea of mine: the vpn terminates on firewall b and the core lan is only accessible via the ipsec vpn to my office.  My perceptions are:

    • if fwA or the LAMP server is hacked, access is only granted to the dmz

    • however, since fwA forwards ipsec to fwb, fwb is directly exposed to the internet via the ipsec ports.  so is my previous perception false?

    Drawing three probably defeats the purpose of having a second firewall: if the LAMP server is compromised, then the Core lan is accessable.

    Drawing four adds an additional layer: a second ipsec tunnel encapsulated within the first ipsec tunnel: the first tunnel is between the exterior firewalls of both my office and colo.  the second tunnel connects between the second layer firewalls and traverses through the first vpn tunnel.

    Is it possible to have an ipsec tunnel within a second one, and is drawing four too complicated?

    I welcome any of your suggestions.








Log in to reply