Business of all sizes are using computers to automate their information processing. When the business has multiple sites, and each site needs to be interconnected, then it is important that this connection, termed Wide Area Network (WAN), is set up properly.
De-Militarised Zone (DMZ)
A De-Militarised Zone is where computer servers which serve both internal employees and external parties (customers, suppliers, share holders, etc) are isolated from the computer servers which only serve internal employees. Why do they have to be isolated? So that when an unauthorised external person somehow manages to break through the fire wall, they will only be able to reach these servers, instead of being able to reach all servers.
A DMZ basically provides:
- one layer of fire wall protection for external parties to reach publicly available computer servers
- two layer of fire wall protection for external parties to reach internally available computer servers
Which computer servers should be located inside DMZ?
- Web server which displays the company web site to the general public
- E-mail server which needs to receive e-mail from external parties and send e-mail from internal parties
- Proxy server, which restricts web access by employees to unauthorised web sites, such as on-line gaming, illegal down load, adult content sites, etc. This server also provides some web browsing cost saving by storing frequently visited sites internally for quick loading, without contacting the original external source for those sites at every visit
- Extranet server, which provides web-based application access to customers or suppliers. This will share the same database server located outside the DMZ that holds the ERP/CRM data, but only contains minimal application logic, just enough to serve customers or suppliers
- Virtual Private Networking (VPN) server, which provides safe access for branch as well as travelling employees to all internal servers. Please make sure that the external facing fire wall supports VPN pass through in order to be able to use this facility. Why? Because a VPN connection request from outside will look like unsolicited connection request from the outside, and by default will be rejected by the fire wall. We need to tell the fire wall that if an unsolicited connection request from the outside fits the description of typical VPN request, then it has to let it pass through. More on VPN below
It goes without saying that the fire walls around DMZ should be configured to only allow DMZ-external or DMZ-internal communication, but not external-internal direct communication. One final note is that the servers in DMZ are isolated from the rest of the company’s private network by having different sub-network, and are made accessible from the outside world via Network Address Translation (NAT) on the internet router.
VPN is a technology that enables companies to safely use public internet as tunnel to transmit confidential information securely between different geographical sites, as if all the computers in all those sites are located in single site separated from public access. This technology drove down the cost of having WAN considerably, by significantly increasing the number of possible service providers that the company can use for its WAN. As long as there’s internet access, VPN enables the company to inexpensively extend its WAN there, since price of internet access is getting cheaper and cheaper.
All access to internal servers from employees outside of headquarter should only be granted through VPN
- For branches, a VPN client machine acting as gateway have to be set up to connect employees there to servers in headquarter
- For travelling employees, a VPN client software has to be configured in their company-issued portable computer to connect to the VPN server in headquarter DMZ. This enables the travelling employees to have secure connection to servers in headquarter wherever they can find internet connection for their portable computer
Please don’t forget to turn on the compression capability on the VPN server to reduce connection cost to branches
The main functions of core switch are to provide high capacity communication:
- between servers in the server farm
- between core switch, which is connected to servers, and access switches, which are connected to workstations
It should be a manageable 24-port or more all Gigabit Ethernet switch, with link aggregation capabilities for core to access switch connection
The access switches, which should consist of stackable, manageable 48 port 100 Mbps + 2 port 1000 Mbps switch with link aggregation and Virtual LAN (VLAN) capabilities, provides the following main functions:
- to be the point where all workstations are connected to the network
- to be the point where WiFi access points connect all the wireless communications to the rest of the wired network. Even the latest Wi-Fi 802.11n standard only provides maximum speed of 600 Mbps, shared between all wireless devices in same access point, so it doesn’t make sense to connect the WiFi access points directly to core switch which has 1000 Mbps speed per port
- to provide high speed inter-workstation communication. This is provided by the separate stacking back-plane for communication between access switches. This feature provides very high inter-switch communication speed (4 Gbps or more) without reducing the number of ports available for connection to workstations or by channelling inter-workstation communication through the core switch
- to provide high capacity communication to the core switch, to which servers are connected to. This is where the 2 Gigabit Ethernet ports comes in handy. The 2 ports should be trunked together to provide 2 Gbps connection speed to the core switch per access switch in the stack
- to increase utilisation of connection capacity by segregating the workstations into VLANs. Try to use dynamic VLAN assignment, which is based on the unique MAC address on the network adapter of the workstations, as this gives more flexibility, especially since some of the workstations are portable computers connected through WiFi access points, not directly connected to the access switch