0

I have a LAN that will host an EXTRANET site with 5 servers, and 2 exchange edge servers. The LAN will service an office in a 5 story building with about 100-200 users on each floor. Each floor will have it's own set of switches in supply closets.

After the initial deployment, we expect the amount of servers to grow. While examining some DMZ network maps, I noticed some of the models had just two firewalls. Others had 2 firewall solution including routers in both the private network and perimeter network.

What reason would a network want a router in the private network and inside the DMZ for the public facing servers? Does it provide any security benefit? I assume it would be a management benefit of some kind on a larger LAN. Another assumption I had on why a router would be in the DMZ would be if the server only had a single NIC, or if you had many servers that provided very distinct services and you wanted to logically divide them for management purposes?

Local area network containing DMZ and routers

Local area network containing DMZ and routers

Network with outside and inside DMZ networks. How does the local clients get to the internet?

Kevin
  • 5
  • 1
  • 7

2 Answers2

0

This feels like a homework question, but I'll bite.

In summary:

LAN 5 story building with about 100-200 users on each floor. Each floor will have its own set of switches in supply closets. 5 servers.
DMZ 2 exchange edge servers

Q: What reason would a network want a router in the private network?
A: Break apart the network for logistical management, say to partition to one subnet per floor.

Q: What reason would a network want a router inside the DMZ for the public facing servers?
A: Again, it would theoretically be useful for logistical management, but with only two DMZ devices it wouldn't provide a benefit.

Q: Do routers provide any security benefit?
A: Generally speaking, no. Many routers can be configured with basic firewall rules, this isn't available on all devices, or even a good idea for most use cases. Often times if this is needed a dedicated firewall instead of a router is a better choice.

Tim Brigham
  • 15,545
  • 10
  • 75
  • 115
  • In response to your first answer.... I understand that in a general sense, but according to the network map, why would we need an additional layer 3 device between the LAN and the internal firewall. Wouldn't the firewall be able to do what the router can? – Kevin Oct 04 '18 at 21:04
  • For question #2. It will be a total of 6 servers. Two exchange edge service, then 4 web servers. However, we would expect the number of servers to eventually grown from 6 to maybe 20. – Kevin Oct 04 '18 at 21:06
  • @Kevin, yes, the firewall can handle what a router can. – Tim Brigham Oct 04 '18 at 21:07
  • For device that want to get out to the internet (for general browsing, etc), do they go through the DMZ? How do they physically get out to the internet at that point? – Kevin Oct 04 '18 at 21:44
0

A router is not necessary, per se. A single firewall can handle both DMZ and internal networks. And modern firewalls also provide routing and NAT functionality. Separate routers are only necessary if your routing needs exceed the capabilities of the firewall.

And even then, a dedicated router is not common. Instead a Layer 3 switch would probably be used.

longneck
  • 23,082
  • 4
  • 52
  • 86