Designing a Secure Internal Network
Please refer to Figure 1 as we walk through considerations for securing your network.
This is a good conceptual representation of the network needed by most SMBs. Since most small and medium businesses use the Internet as their connection to the rest of the world, including customers and business partners, I don’t discuss point-to-point circuits or complex router configurations.
Let’s start with the perimeter device: the router.
Routers must be placed between the cable modem--or other communication medium--connecting your business to the Internet. In our example, the router is used to connect to the Internet and to segment the company network. (For detailed explanations of routers and switches, see Introduction to Local and Wide-area Networks, Part 4 and Part 5.)
In our example, we have two virtual local area networks (VLANs). VLAN 100 is used to access a public Web server. No systems with sensitive information reside on it. All internal devices containing critical applications and sensitive information reside on VLAN 200. A security control known as an access control list (ACL) determines who and what can travel over each.
For example, an ACL would typically prohibit remote devices from accessing the internal devices on VLAN 200 while allowing access to the Web server. If the internal switch supports it, you could create additional VLANs to segregate the application, database, email, and file/print servers.
Wireless devices attach to wireless access points (WAPs). You should encrypt wireless access networks and consider establishing a separate VLAN for wireless devices. Information on encryption and other wireless security issues is available at Wireless Access Controls. For more information about wireless points and routers, see Wireless N Buyer's Guide to Choosing a Router.
Finally, the best approach to preventing network infection is to block bad stuff at the perimeter. Standard routers are not equipped to handle things like email filtering. Products like those from Astaro or hosted services like Postini can help keep email borne malware away from your servers and workstations.