How to make secure student network?

hi there...
i want to impliment this kind of network at my college..



Reference:: www.comptechdoc.org

Let say the webserver using 219.x.x.x ip(public) and user using 172.x.x.x ip (private).I'm using packet filtering as the firewall

Question is::

1- How can i allow internal user to derect access the webserver without going to internet?

2-Can pf firewall cater up to 5000 user?or it depend to the hardware?

3-what is the best design to improve the security?should i add another hardware such as IPS or etc? For your informaion, this is student network; and as you know there are alot of issue from student site such as virus and hacking. Need your advice to improve the security issue.

thanks

1.) In order for your students on the private network to reach the webserver, and the webserver only, you'll need to have your firewall port forward http (TCP port 80 or whatever port your server is set to listen for http on) to just the IP address of the webserver (219.x.x.x). Your clients are still behind NAT, and the only access out of the firewall they would have is the access to the webserver.

One note: if your private network is one big network that includes students and administrators, be sure to segment it into the respective user groups. This will make configuring the firewall easier.

2.) Not sure on that one, but I'd imagine someone more familiar with BSD can tell you for sure. Check this link out, though. www.openbsd.org/faq/pf/perf.html

3.) Your design is very good. As far as keeping your network secure from your users, I'd make certain that their local and network rights are just powerful enough to let them do what they need. If you are really concerned about hacking, maybe you should add an IDS like Snort to help you spot suspicious activity.

this is what i read from the net
their advice to design the DMZ like this::

Internet to Modem
Modem to Router
Router to DMZ Hub/Switch
DMZ Switch to WEB/FTP/Game Server
...and...
DMZ Switch to Firewall External NIC
Firewall Internal NIC to Internal Hub/Switch
Internal Hub/Switch to Internal Systems

Reference:: www.dslreports.com/faq/4545



which one is batter compare to the previous?

The designs are essentially the same, except the second one is more suitable for a home gaming rig. The important thing to note is keeping your users behind NAT, and creating a DMZ for your servers that need to be accessed by both your network and the internet. The first design is good for your situation, even though they are essentially the same.