Computer network and security management

>


Most Viewed Networking Devices:

  1. Small business firewalls
  2. Computer networking hardware
  3. High speed gigabit PCI adapter
  4. USB 3.0 PCI Card for Super Speed Data Transfer Rate
  5. Small Business Computer Network with Apple Mac Mini Server
  6. NSA 240 Sonicwall Small Business Network Security
  7. Cisco WRVS4400N Wireless Security Router
  8. Cisco RV 120W Wireless-N VPN Firewall and VLAN Router
  9. Cisco RV016 Multi WAN Router For Small Business
  10. Cisco RV220W Small Business Router
  11. Cisco RV082 Dual WAN VPN Router
  12. Edimax EnduraLINK ER-1088 Multi WAN Routers
  13. TL-R4299G Dual WAN Router for Internet Café
  14. New WNDR4500 N900 Vs Tew-692GR N900 Routers
  15. Netgear WNDR4000 and WNDR3800 Dual Band Routers
  16. Linksys E2500 Advanced Dual Band Router Vs E2000
  17. Linksys E-4200 Dual Band Gigabit Router

Most viewed Security Management:

  1. Information security management
  2. Firewalls Security Guidelines
  3. Business Continuity and Disaster Recovery Planning
  4. An Example of LAN Network Risk Assessment
  5. Information security policy guidelines
  6. Network Security Best Practices
  7. IT Security Risk Assessment

Most Viewed Networking Concepts:

  1. Local area network topology
  2. LAN Cable - standard deployment
  3. Easy way to calculate subnet mask
  4. VLAN tutorial
  5. WAN technologies
  6. Route summarization
  7. Understanding firewall with DMZ

 
«  
  »

IP Network Design

How can you make your IP network design to allow internet users reach your internal server such as Exchange server in a secured manner?

To allow a computer to communicate with another computer in a TCP/IP network, each computer needs a unique IP address. IP address can be categorized into private IP address and public IP address. To build a private network and allow computers in the internal LAN network to communicate with other computers globally, you need to have a good IP network design. You should also design that Internet users can also communicate with your internal users in a secured manner.

Designing the Internal Network

Suppose you have an internal mail server, you need to have all the internal users accessed the email server and allow them send outbound email to the internet and the internet users can also reach the mail server as well in a secured manner. With a limited registered IP address, you should have a well IP network design to bring this happened. The following figure shows you the typical IP networking diagram you need to develop to allow the internal network to communicate globally to the internet and vice versa.

IP network design - diagram

In your IP network design, firstly you need to design your internal network using the private IP address. As discussed previously on designing the IP address for multi-site networks, in this section I will not discussed more detail about the complicated bit “1” and “0” design. The following table lists the private IP address classes you can use for your internal networks.

Class Type Start Address End Address
Class A 10.0.0.0 10.255.255.254
Class B 172.16.0.0 172.31.255.254
Class C 192.168.0.0 192.168.255.254

Suppose you use class C private IP address 192.168.10.0/23 to allow up to 510 IP hosts with subnet mask 255.255.254.0 (see also how to calculate the subnet masks). You also install one server for Exchange server with the internal IP address 192.168.10.251/23, and one server for web server with the internal IP address 192.168.10.250/23. Private IP address cannot be routed to the internet, so how can you let the Internet users know your domain address for example your network email format is first_name.last_name@your-domain.com?

Registering the Domain

Your email server and web server cannot be reached by Internet users because both servers are using private IP address in the internal network. We know that the private IP addresses cannot be routed to the internet, so we need to have the server domain registered formally to the Internet. You need to arrange with your ISP to register www.your-domain.com and buy some public / registered IP addresses for the servers.

With your www.your-domain.com registered to the internet, and you have some public IP addresses, now you need to arrange with your ISP to host the MX record in their DNS server for your mail server using one of the public IP addresses (for example 65.134.10.13) you have. If you deploy the Exchange server (2003 or 2007) in the internal network, and you also have the internal DNS server with your domain, you also need to create the MX record that point to the internal IP address of your exchange server (192.168.10.251/23).

Similarly, you should also have the web server registered to the Internet. Arrange with your ISP to register your Web server domain name using the other public IP address (for example 65.134.10.12) into their DNS server to allow internet users reach your internal web server. Now, how can Internet users reach your internal Exchange server and (or) web server if both of your servers located inside your corporate network?

Using NAT

You need a way to translate the internal private IP addresses into the registered IP addresses by using a method called NAT (network address translation). This way, the internet users can deliver the Internet messages to your internal Exchange server. You can do this NAT method configured in your firewall / router. Suppose that you deploy Cisco router, in your access-list configuration (for example access-list 101), you should open port 25 (smtp) to allow Internet users reach the Exchange server through the public IP registered in the ISP (65.134.10.13)

access-list 101 permit tcp host 65.134.10.13 any eq smtp
access-list 101 permit tcp host 65.134.10.13 eq smtp any

To translate the Exchange server internal IP address (192.168.10.251) to the public / registered IP address (65.134.10.13), you must use the static NAT method. Static NAT is particularly true if you need inbound connections from the outside network to always reach a particular internal device, such as a web or email server.

Router(config)#ip nat inside source static 192.168.10.251 65.134.10.13
Router(config)#ip nat inside source static 192.168.10.250 65.134.10.12
Router(config)#interface FastEthernet 0/0
Router(config-if)#ip address 192.168.10.254 255.255.254.0
Router(config-if)#ip nat inside
Router(config-if)#exit

This is an example of the simple form of the NAT configuration. We do not discuss more detail about Cisco IOS configuration. See also Cisco IOS – the basic configuration.

With this IP network design and NAT configuration, your router will allow the inbound traffic of the email messages from the internet to reach the Email / Exchange server. The other thing you need to consider is port 25 in your ISP should also be opened, check with your ISP to arrange port 25 opened. Generally when you connect to the ISP using one of the WAN technology services such as frame relay network, or point-to-point leased line connection, all the ports are available. So you must secure your internal network by deploying secured firewalls by filtering unwanted traffic.

We are not discussing how to install Exchange server and how to configure the Recipient Address to allow the traffic inside the Exchange server. You can find this in Exchange installation guide.

Public Resources in DMZ

For more secure configuration, you can design public resources to be placed in perimeter network or DMZ – the Demilitarized Zone. By placing the public resources such Web server or Mail server in DMZ, you can completely configure the Internet traffic NOT to flow into the Internal network – your secured private network. You need to modify the router and or firewall to support the DMZ configuration. See also more detail about the firewall with DMZ feature.

In this IP network design is just to show you the steps to allow inbound traffic from the internet to reach your internal resources (Mail server, Web server) in a secured manner.

By Ki Grinsing

See also:

Share
March 20th, 2010 | Tags: | Category: Network Design

2 comments to IP Network Design

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>