Our company going to move in a new office, for this I'm trying to re-design the internal network (LAN).
TARGET : try to achieve a more reliable and secure network than what we have now.
ACTUALLY : in a couple of months the number of collaborators improved from 3 to 11, and of course, also the numbers of devices connected to the LAN. I don't think the actual & very basic design is anymore adapt to our situation:
There is the ISP router+firewall connected to the switch, and all the end users connected to the switch via ethernet. Plus there is a shared printer, a NAS for sharing files and a server for testing code.
Number Of connected devices (more in detail) :
- 12 labtops (wired)
- 9 smartphones (wifi)
- 3 ipad (wifi)
- 2 access points (wired to the router)
- 1 shared printer (wired).
Following 2 devices, as user3799089 suggested, I plan to put them in the DMZ portion behind firewall:
- 1 webserver
- 1 NAS
I'm not an expert, but i've never seen a network design with that many devices connected to just a switch, and i'm thinking to add a new Layer of switches, and devide the network in the following way.
In addition, I would directly connect the test server to the router, and give the possibility to reach it from the outside world using NAT(we don't have a static ip actually). I would protect the server and the NAS behind a firewall(in attition to the one integrated in the router).
Actually our bandwidth is 40/4 Mbit/s , but I still doesn't know how much of it we do use. In the first 2 weeks in the new office, the ISP will monitor our bandwidth usage, and tell us if 40/4 is enough for us.
MY QUESTIONS :
- Adding a new layer of switches does improve in any way the reliability of the network?
- Setting up a double firewall to reach the server and the NAS make it more secure? is usually the firewall integrated in the router reliable?
- NATTING a dynamic address to make it reachable from the outside, is a bad practice for any security reason?
Best Answer
First of all put Your firewall betwen Your ISP and edge router !
You have so few host that You are able to bind all host using at least two switches (which wouldn`t be so expansive) connected to each other so when one fall down second one will continue passing frames to the router.
You can use also static DHCP leases to assign the same IP address to specified hosts in Your network. No matter where they connect their device they will receive that same IP address all the time.
Good security practice is to give Your AP`s different range of IP addresses and exclude them from Your wired part of LAN network. You can also add a VPN tunels to Your NAS and server aspeccialy while using WiFi.