....Security Designs....

I'm using my home connection, and I'm trying to setup a web server and an email server.
I'm sharing a network with my family, and I'm also concerned about the security of their computers. (Since they are just end users). I'd also like to keep them from complaining that the internet connection is slow.

I've come up with some ideas for security...




Could you please tell me if either of these designs are good, which one is better, or if neither of these designs are any good at all.

P.S. I'm really new to networking so I'm not entirely sure what the right thing to do is yet....
P.S.S. Is the security tighter on the hardware firewall then on smoothwall? It sounds like it would be but I'm not sure about that either.

Thanks,

I don't see why you would need two routers. Unless the hardware router is something special, I would prefer to use just a linux or bsd box for all the routing and firewalling. Of course in general, an extra layer of control is not a bad thing if you have planed a good use for it, but this is just a small network..

There are two ways to see the same coin: more layers give you more flexibility in configuration and more chances that an intrusion will be blocked in a case of misconfiguration-vulnerability in one of the devices. But more layers also give you more overhead, more configuration to do and thus more chances that you will do a mistake somewhere or that something will mailfunction. I think that second side leads to a more solid approach

Consequently, I would choose to use a reliable, well cooled and quite pc as a central router and firewall for all three interfaces and I would try to make an optimal ruleset based in a deny-everything default policy. Also, I would apply QoS to handle the traffic (prioritizing-limiting) and to keep everyone happy.

So, based on your material, here's my picture for your network:



btw personally, I don't like hardware devices and I don't consider them any safer.

PS. Prioritizing and limiting the bandwidth resources can be an excellent discussion on it's own, so if you experiment with it please share your experiences about what you found optimal!

PS2. Is that DIA you are using?

What is QoS?
(?Quality of Service?) Just guessing....

What sort of program would you use for that? (in linux of course)


Yeah I'm using DIA, and you know what? I almost like it better than Visio. It just makes alot more sense, like the start arrow and end arrow thing. In Viso you have to guess which is the beginning and which is the end of the arrow. In DIA you remeber which way you drew the arrow and it all becomes clear. There are also alot of cool programs for Dia that'll let you turn your drawings into code! Saves you days in software development.

P.S. Sig-no-mee, are you really from Greece?
P.S.S. I apologize if I butchered sig-no-mee with my english...

Yes, quality of service. In linux you can do it with the iproute tool. There is a good how-to here .

lol "ohi den to esfakses" (no you didn't butcher it )

Nske's diagram makes a lot of sense.. as he said you don't need to have a separate router...

Just wanted to add a couple of things..

1. Don't permit any connections from the DMZ (mail / web servers) to the internal LAN otherwise this will defeat the purpose of a DMZ.

2. Install an IDS sensor in both the internal segment and the DMZ. I would suggest you use snort ( www.snort.org ) for this. If I recall correctly, Smoothwall already has snort built in. I recommend you make the sensor dual homed, put no IP address on the sensor side, and connect the other side to a management console to handle your alerts and manage the sensor.. There is a nice windows IDS policy manager for snort, you can get it here:
www.activeworx.org