Building from the ground up. What do I need?

SachaJ

Firstly, currently have IOLBB at home so I know a bit about broadband and even less about networks.

What I'm looking to do is set up a secure web server from home.

The machines I'm planning are webserver, email server, & database server/source safe machine. Guessing the machines will all be Windows Server 2003 or 2000 (all .NET stuff I'm doing). And I guess a separate network for my other machines (XP Pro).

From what little I know, I'll need the web & email servers in a DMZ, but I want the database server outside the DMZ for security. I reckon I'll have my development machines & database server inside the separate network (ie away from DMZ) but I'll want those machines to have access to the internet. DB server not so much so.

I reckon I'll need a DSL connection of about 1mb down and at least 256 up. Also need Static IP's, but how many? Will worry about the connection later - not sure will any of the current residential offerings work, not even after the "supposed" IOL announcements next week.

Need a decent firewall, router, broadband gateway(?) any recommendations?

Basically what I need help with is the design of the network, focussing security, and some ideas of the kind of hardware I need. Any ideas at all are gladly appreciated.

Oh yeah, and as usual, on a tight budget too.....! Thanks in advance for ANY help...

Moriarty

Moved to Nets/Comms.

tomk

I'd recommend IPCop, installed on an old PC with three network cards. This will give you a secure internal LAN, a DMZ, and an internet connection, and it's all configurable in as much detail as you want.

For example, I run mine on a P200 with 2GB disk and 64MB RAM, and that's including a fourth interface for wireless, running IPSec VPN, proxy, IDS, DHCP, caching DNS, NTP, and SSH, all controlled from an excellent browser GUI.

Gavin

What sort of service are you providing ? There is no need for sperate machines for all those servers, given the size of the pipe coming into the house. Unless you are doing some serious computation for each request that is.

I haven't used IPCop myself, but I've only heard good things about it. Perfect for a budget secure network that won't be utilising huge bandwidth.

Gav

SachaJ

mainly going to be a company website with some online ordering etc.

Nothing too drastic.

liamo

I'd agree with tomk's recommendation for IPCop.

As for Static IPs : You don't actually need any!

If you have a single static IP - great. You can forward traffic to port 80 (for example) on your firewall to port 80 on your webserver. You can do this for any number of ports: email, web, ssh, etc.

Even if you don't have a static IP, you can pay (about €10 per annum) for a Dynamic IP service which IPCop will update each time your IP changes. I've been using IPCop (and before that, SmoothWall - IPCop's starting point) and No-IP.com (my dynamic IP service provider) for the last few years and I've never had a single problem with either.

Regards,

Lim

ressem

Nag mode:
If you're running your own web server, then the bottleneck is your upload speed. (your upload speed is their download speed, remember)

Tight budget and you've ruled out hosted asp.net?
http://www.webworld.ie/windows/index.php

If you've an MSDN subscription there's no problem setting up such a setup using VMware or whatever MS' version is called to develop and test, but having 3+ machines running 24/7 from your home for business purposes seems daft. Especially the email server.

Assuming I'm in the wrong,

I'd also go with IpCop, but use a network card for each server, since you don't have a multiport firewall or even managed switch to restrict communication within the DMZ.

DB server goes in the DMZ, and does not get internet access. Ideally only DB traffic requests/response from the web server are allowed, but you might allow remote desktop connections/ssh in from a local access terminal.

Same for the other servers. Essential traffic only.