Best Practice Network Design

This is a template for a best practice network design. This is a deviation from the traditional dual skin firewall plus DMZ design. My opinion is that this one is more practical and secure (never understood or saw the benefit of dual skin?) This is my first doodle of it on Powerpoint, the initial one was a drawing on a napkin.
  • All unused ports must be disabled!!!
  • Routers should be used to bin generic classes of undesired traffic before it hits any firewall. Routers should be intelligently and securely configured. They are another security skin and should be leveraged!
  • The company uses Private IPs on the internal and DMZ networks. The external router bins Private IP addresses while the internal core bins any connections that have an Internet IP as the originating address. The external router also bins any unknown protocols not provisioned in the DMZs.
  • All three parties are handled with IPSEC to the remote location and terminated in a DMZ.
  • A choke VLAN exist which enforces an inspection point for IDS and IPS systems.
  • The servers in the data center are protected by a separate firewall. All business unit servers are in separate VLANs, i.e. HR servers cannot connect to Finance servers without an explicit rule in the data center firewall. This firewall has no NAT, only a rule base.
  • External connections are facilitated via reverse proxies hosted in a DMZ.
  • Email is relayed via a bridge head in a DMZ. Use is made of mail scrubbing services like Mimecast or Messagelabs.
  • DNS is forwarded to OpenDNS.
  • Workstations are separated into functional business unit based VLANs. The core bins any incoming SMB/CIFS shares to the workstation VLANs. This stops any worms and Trojans in its tracks and prevents information leakage.
  • On the inside networks all route distribution is authenticated, especially routes between the firewalls and the core.
  • A separate network management VLAN should exist, accessed off the core and protected by ACLs. This VLAN should not be accessed via a firewall to prevent non-access situation.
  • The management VLAN should contain jump servers which are the designated point to access all network device and firewall consoles.
  • Don't publish intranet on port 80 but rather use port 8080 to 8090. This will assist with controlling web traffic.
  • Use the url filtering abilities of the firewall backed up by OpenDNS categories. Don't use proxies.

    Here is a more complex systems design with multiple firewalls:


  1. I'm intrigued but not sure what you mean by "binning" things. It's not a term I'm understanding. Explain that? Fascinating idea.

  2. Binning = Dropping the traffic

  3. Every thing seems perfect, but why not use proxy for web contents filtering???

  4. I agree, don't use a proxy because it requires unnecessary maintenance and costs. Outsource to to OpenDNS or other cloud provider.


Post a Comment