1

I have the following proposed network design that I will be implementing.

  1. All connection for server and PCs are connected through an All in One cisco firewall
  2. Only one high end server will be used. The server has two NICs.
    Virtualization will be used
  3. DMZ0 network port connected to the server from the firewall.
    (The virtualized http server will use this port)
  4. The PCs are connected to a switch that is from the firewall, this network is private
  5. The server will have another NIC port connected to the switch, the server that is not exposed to the DMZ network, will use this.

Questions:

  1. I've been playing which virtualised software for this setup, will Xen Cloud platform work for this diagram?
  2. Will this physical separation of network using two NICs work for the server?
    Will it work with the Xen Cloud platform?
  3. Are there other problems that I may face from this setup?

Network Diagram

voretaq7
  • 79,879
  • 17
  • 130
  • 214
ericlee
  • 121
  • 1
  • 6

1 Answers1

3

Thoughts:

  1. You should be using the two NIC ports for link aggregation (aka Teaming).
  2. Use vLANs if you think you need traffic segregation, I don't think you do at this size/complexity.
  3. Xen is great and all, but half of installations are VMware's ESXi, and most of the rest are Hyper-V. Linux's KVM is a red-headed step child, and Xen is lucky to be mentioned on most industry reports.
  4. I'm not sure what the limitations of that router are, but it's meant for SOHO. Commection limits are the first problems people run into (that and not working the way it's supposed to, but that model isn't infamous or anything to my knowledge).
Chris S
  • 77,945
  • 11
  • 124
  • 216
  • IS vlan the best way for segregation? instead of physical separation with two nic? i'm looking at exposing a certain portion of my server to the dmz network. For example at the diagram, http server will be exposed while the rest of them is not. – ericlee Aug 06 '13 at 13:56
  • 2
    There's really no such thing as "best" in the world of IT. vLANs provide a great deal of flexibility, but also require device support, and are generally more complicated than physical separation. Usually you don't expose a whole server (or VM), but rather use the router to forward certain ports. If it's a website, usually TCP Port 80 and 443 are all you really need/want. – Chris S Aug 06 '13 at 14:09
  • Great dude, thanks for your help! the reason why i would like to place certain server on the dmz instead of the private network and porforward is to do network separation. if the server ever get compromise, it will not be able to attack my private network. – ericlee Aug 06 '13 at 14:22
  • I think you mean a "red-hatted step child..." – Michael Hampton Aug 06 '13 at 17:51
  • @ericlee I would definitely go the vLAN route - one day you might want to carve up your environment into more than two network zones, and vLANs would allow you to do that without needing to change your hardware configuration. If you've bought a decent managed switch it should have 802.1Q vLAN support. If it doesn't a suitable gigabit switch can be had for relatively low cost. – voretaq7 Aug 06 '13 at 17:54
  • Even if the switch doesn't support vLANs, it's not necessary in this setup (though preferable for security reason, related to people already inside your network doing stupid things, not an external hacker getting in). – Chris S Aug 06 '13 at 18:05
  • thanks dude!. i'll give it a check if the cisco isa500 series allows vlan dmz instead of physical port! thx – ericlee Aug 06 '13 at 18:08