I have a LAN that will host an EXTRANET site with 5 servers, and 2 exchange edge servers. The LAN will service an office in a 5 story building with about 100-200 users on each floor. Each floor will have it's own set of switches in supply closets.
After the initial deployment, we expect the amount of servers to grow. While examining some DMZ network maps, I noticed some of the models had just two firewalls. Others had 2 firewall solution including routers in both the private network and perimeter network.
What reason would a network want a router in the private network and inside the DMZ for the public facing servers? Does it provide any security benefit? I assume it would be a management benefit of some kind on a larger LAN. Another assumption I had on why a router would be in the DMZ would be if the server only had a single NIC, or if you had many servers that provided very distinct services and you wanted to logically divide them for management purposes?
Local area network containing DMZ and routers
Best Answer
This feels like a homework question, but I'll bite.
In summary:
LAN 5 story building with about 100-200 users on each floor. Each floor will have its own set of switches in supply closets. 5 servers.
DMZ 2 exchange edge servers
Q: What reason would a network want a router in the private network?
A: Break apart the network for logistical management, say to partition to one subnet per floor.
Q: What reason would a network want a router inside the DMZ for the public facing servers?
A: Again, it would theoretically be useful for logistical management, but with only two DMZ devices it wouldn't provide a benefit.
Q: Do routers provide any security benefit?
A: Generally speaking, no. Many routers can be configured with basic firewall rules, this isn't available on all devices, or even a good idea for most use cases. Often times if this is needed a dedicated firewall instead of a router is a better choice.