Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Topology, Switch Recommendations for New Small Office


  • Please log in to reply
12 replies to this topic

#1 footsmell

footsmell

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 04 February 2014 - 05:01 PM

I'm in charge of the network at a new small office. I could use some advice for the most sensible topology, for security and cost, and what hardware to invest in.

I have an empty rack, ethernet cabling already run, and our managed router from our ISP, a SMCD3GN2. We're operating just fine at the moment with our laptops, but will need more eventually:

Guest wifi network (~20 clients peak)
Private wifi network (~15 clients)
10 desktop workstations
1 printer
3 process side computers (internet connected for remote support via VPN+VNC)
2 cash registers
6 security cameras.

Services: SMB, DVR for 6 FHD (1920x1080) IP cameras, warehouse management software

Here's my plan so far:

SMCD3GN2: Provide guest wifi network, Switch 1 and server plugged in
Switch 1: (Netgear JGS524?) 10 desktops, printer, AP for private wifi network
Server: (Dell Poweredge?) run SMB, backups, DVR, PBX (maybe), firewall for switch 2
Switch 2: (D-Link DSS-16+?) cash registers, security cameras, process side computers

I'd like to run free software as much as possible, that means CentOS, zoneminder for the cameras, etc.

1. Does it make sense to have the DVR run on the same physical machine as the other services? Does disk I/O with 6 FHD cameras get very high?

2. What switches do you recommend? I have never worked with VLANs... do I need them to properly separate the cash register, security camera, and process computer networks?

3. Will our SMCD3GN2 be up to the task, and what AP should I consider to run the private network?

4. Any criticism, constructive or otherwise?



BC AdBot (Login to Remove)

 


m

#2 Greg62702

Greg62702

  • Banned
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 04 February 2014 - 05:58 PM

First off, you do not want the guests using the same network as the office.  Second, you do not want the POS open to the Guests or those on the workstation LAN, to be able to access.

 

You would need a Modem, a Router with a decent firewall, or a Firewall behind the router.  Then you throw into that mix, managed switches, that allow for VLAN, a Radius server, an AD server, a NAS, Access Points for Wireless, that also allow for VLAN.  After you get all of the hardware together, you need to pay someone that knows what they are doing, to make sure everything works like it should, and that no one on the guest side can have access to the business side, and the business workers & guests cannot access the POS.

 

Then add in the costs of someone that will be on call 24/7 in case something happens, or something needs to be done after business hours.

 

Roughly you are talking min. $20,000 for a decent setup, not including costs for maintenance, and paying the person who will manage the system.

 

You can cut the costs down if you use Linux, but again you need someone that knows Linux, and how to make it work interchangeable with Windows.  As for using that SMC, yes it would work, but you do not want a all-in-one unit for controlling your network.

 

My network consists of the following equipment:  Motorola/Arris SB6141 Cable modem, TP-Link TL-R600VPN router.  Netgear GS108 8 port switch, Trendnet TEG S50g 5 port switch.  Lenovo ix2-4 NAS, Trendnet TEW-638apb Access Point, Trendnet TEW-690AP Access Point, EnGenius ECB350 Access Point with VLAN capabilities.

 

Only reason I am not using managed switches, is because this is a home network, which I do not need to segregate devices at this time.  If I did, yes I would be using managed switches and a Radius server for controlling wifi access.  Managing it is a full time job in itself.

 

Really if you want it done correctly, you need to hire a consultant that knows what they are doing, to come in and assess what you currently have, by taking an inventory.  Then have them design a system that will work for you.  You may not like the price, but it is better then you buying stuff that you think that you need, when you do not need, along with having equipment in standby, in case something needs to be taken offline.

 

I always keep a switch in standby, in case I lose one.  As for Access Points, the modem or router, I can have one next day if I need to have it right now.

 

If I am doing a big purchase, I will work with my adviser at CDW.  Otherwise I get the majority of my stuff at newegg.com.



#3 JohnnyJammer

JohnnyJammer

  • Members
  • 1,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:12:43 AM

Posted 04 February 2014 - 07:06 PM

Personalyl i would just get a 48 port HP Procurve switch and set VLANS, it wouldnt more than 10 minutes to setup and you would be all set.



#4 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 AM

Posted 04 February 2014 - 10:27 PM

First off, you do not want the guests using the same network as the office.  Second, you do not want the POS open to the Guests or those on the workstation LAN, to be able to access.

 

You would need a Modem, a Router with a decent firewall, or a Firewall behind the router.  Then you throw into that mix, managed switches, that allow for VLAN, a Radius server, an AD server, a NAS, Access Points for Wireless, that also allow for VLAN.  After you get all of the hardware together, you need to pay someone that knows what they are doing, to make sure everything works like it should, and that no one on the guest side can have access to the business side, and the business workers & guests cannot access the POS.

 

Then add in the costs of someone that will be on call 24/7 in case something happens, or something needs to be done after business hours.

 

Roughly you are talking min. $20,000 for a decent setup, not including costs for maintenance, and paying the person who will manage the system.

 

You can cut the costs down if you use Linux, but again you need someone that knows Linux, and how to make it work interchangeable with Windows.  As for using that SMC, yes it would work, but you do not want a all-in-one unit for controlling your network.

 

My network consists of the following equipment:  Motorola/Arris SB6141 Cable modem, TP-Link TL-R600VPN router.  Netgear GS108 8 port switch, Trendnet TEG S50g 5 port switch.  Lenovo ix2-4 NAS, Trendnet TEW-638apb Access Point, Trendnet TEW-690AP Access Point, EnGenius ECB350 Access Point with VLAN capabilities.

 

Only reason I am not using managed switches, is because this is a home network, which I do not need to segregate devices at this time.  If I did, yes I would be using managed switches and a Radius server for controlling wifi access.  Managing it is a full time job in itself.

 

Really if you want it done correctly, you need to hire a consultant that knows what they are doing, to come in and assess what you currently have, by taking an inventory.  Then have them design a system that will work for you.  You may not like the price, but it is better then you buying stuff that you think that you need, when you do not need, along with having equipment in standby, in case something needs to be taken offline.

 

I always keep a switch in standby, in case I lose one.  As for Access Points, the modem or router, I can have one next day if I need to have it right now.

 

If I am doing a big purchase, I will work with my adviser at CDW.  Otherwise I get the majority of my stuff at newegg.com.

LMAO


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#5 Greg62702

Greg62702

  • Banned
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 04 February 2014 - 10:33 PM

Personalyl i would just get a 48 port HP Procurve switch and set VLANS, it wouldnt more than 10 minutes to setup and you would be all set.

You do not want one switch to run your infrastructure.  Especially in this kind of setup.  As for 10 minutes, it takes longer then 10 minutes, to set up a proper set of VLan's, in this instance that the OP is describing.



#6 Greg62702

Greg62702

  • Banned
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 04 February 2014 - 10:35 PM

 

Glad you find that funny.  I am being serious in what I told the OP.  As for my setup, it runs circle around what ever you call your network.



#7 JohnnyJammer

JohnnyJammer

  • Members
  • 1,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:12:43 AM

Posted 04 February 2014 - 10:53 PM

 

Personalyl i would just get a 48 port HP Procurve switch and set VLANS, it wouldnt more than 10 minutes to setup and you would be all set.

You do not want one switch to run your infrastructure.  Especially in this kind of setup.  As for 10 minutes, it takes longer then 10 minutes, to set up a proper set of VLan's, in this instance that the OP is describing.

 

 

 

Actually no it doesnt take long at all. And also as a network administrator, i have 2 (4 in total) of these switches (Just in the main office, i manage 2 other office's with nearly the same) and it runs fine with approx 40 workstations, 5 servers, 6 printers, ADSL proxy. The problem might be if he dont use optics.

The limitation of Cat5e speed would be the slow point/bottle neck. Seriously man, bandwidth isnt as bad as people claim it to be. Just because you have a 1 GIG eth0 card doesnt mean the HDD is going to write at that speed mate. There will always be a bottle neck some where.

 

Anyway, i also use MikroTik routers to manage the VLAN's and IP Subnets. They are cheap and better than any CISCO routers you would get from the ISP, but thats my point of view.

VLANS work great and just trunk using optics from oen switch to another, this eliminates the MS broadcast packets.



#8 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 AM

Posted 05 February 2014 - 08:12 AM

Just the idea of POS, security cams, Guests, voip, internal network, remote managment all on same switch hardware yikes.



#9 footsmell

footsmell
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 05 February 2014 - 12:39 PM

Thanks for the comments.

 

Our initial budget was going to be $10,000 but has been... tabled. I would convince my boss for each purchase. Maybe 3-4k for the switches and server. That's why I hesitate to dive in with separate devices for all the functions, and would keep the SMC router if it's usable.

 

Physical separation of networks is ideal... but, assuming correct configuration and no nasty switch exploits, isn't a VLAN just as secure?

 

One more thing. We have two static IPs. Let's say I use our provided modem, plug in our SMC router in, then plug a wireless router into the SMC with the other static IP address set. I could use the additional router to serve as the guest wifi network, and they would be on their own subnet with a different internet-facing IP address. From what I understand, risks like ARP spoofing should be greatly mitigated... the guests would realistically have as much ability to launch an attack on the private network as they would from the internet. Does that sound right?



#10 Greg62702

Greg62702

  • Banned
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 05 February 2014 - 02:03 PM

Yes the guests can launch an attack from within the network.  That is why you need to think like they do.  Using a Captive Portal for Guest Wifi is one way to limit the time they are on, and who can use it.  There are solutions for Guest Wifi, that you can use a credential for the user, that is only for say a limited time period.

 

As for VLan's being secure, see http://features.techworld.com/security/238/are-private-vlans-really-secure/  Cisco VLAN White paper.  http://cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml  UCDavis site on VLAN http://net21.ucdavis.edu/newvlan.htm  InfoSec Institute information on VLAN Network Segmentation.  http://resources.infosecinstitute.com/vlan-network-chapter-5/

 

Just keep in mind that going cheap is not the best.  Also you should look at a fallback connection, just in case your primary goes down,  You will need a Dual-Wan router for that.  The SMCD3G that you have, is an Enterprise grade modem.  There is stuff though in the software, that if you dig deeper, you will find that it has a lot of power in that unit, in what you can control.  Negative side is, that when it is the ISP's equipment, they control what you can & cannot do with the unit, so you are stuck with letting them controlling it.

 

As for the budget on equipment, it sounds fair for what you are looking at.  But do not let the business owner go cheap, or start stating that the costs are too high for the maintenance of the infrastructure.

 

Also, what are you using for backup in case of power loss, along with building Lightening & surge protection?



#11 JohnnyJammer

JohnnyJammer

  • Members
  • 1,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:12:43 AM

Posted 05 February 2014 - 06:17 PM

Look you can try and secure a network as much as possible but if someone has the know how then believe me mate they will gain access even if it takes them 6 months.

A decent hack attempt doesnt happen over night and can generally take weeks to months to create a attack vector.

Yes i run a lot more than what you describe on one or two hp provurve 48 port switches, it runs absolutley fine but i also have much more security practices in place than just VLAN's and a firewall.

One of the biggest threats these days is drive by downloads that gain access through the web browser. So really, going gang busters on network security wont do jack when dealing with that.

 

Also the idea with VLAN's is it was/is never meant to be for security, switch port access is designed for that by assigning MAC address tables. VLAN's are designed to stop packet collision and broad cast floods (MS-SEARCH 255). Anyone who has done a CCNA course will tell you the same thing. Personalyl with the 2 IP's, i would be using a MikroTik router and bonding the ports to create a single point of access. I doubt anyone here has even delt with MikroTik before because it isnt industry standard. You also wont get a decent setup for 10 grand, a decent server is around 7 grand and i would be buying somethign that can handle multiple virtual machines (With ESXi5.*) because one server wont be enough to run all what you describe above. Always think of 3-5 years ahead and one server now will almost certainly mean 2 more in 3 or 4 years time.


Edited by JohnnyJammer, 05 February 2014 - 06:17 PM.


#12 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 AM

Posted 05 February 2014 - 10:11 PM

Both of you got good points. I would ask what are the clients going to be doing just browsing the net like a internet cafe, gaming or what? Then I would get a dedicated dual wan/vpn/qos router to help with load balancing. Then of course get a large core VLAN switch, something like a Cisco sg200-g so it has a strong backplane. Get it setup with a primary vlan to the router. Setup a second vlan for the community network clients/servers. Create a third VLAN for the private office network servers ect. Create a third isolated VLAN for the VOIP, CAMS, POS, management and a sonic wall in front of the POS. Create a fourth isolated vlan where the public/private wifi open-mesh will be. Throw in another switch and injector POE for the AP's.

 

Lock everything down into a locked closet and be sure to isolate AP's so they are less visible hidden out of reach and mounted high. Get a professional wire installation done to keep wires and cat5-6 jacks isolated so no rogue AP's or someone can jack themselves in and bypass a server. Typically they are ran through the ceilings/floors/walls and through strong protected conduits all heading to central closet or room that is locked down. Security is at the top of the list. Open-mesh you can isolate wifi with multi ssid so you could change the topology around a bit and have both private/public on the same multi ssid router. All it takes is one config mistake/patch/vurnerability of some kind and your network is PWND. Again like others have said, get a 'network consultant' to come in and sit down and draw up a plan that works within your budget, lab it out virtually, do research on the hardware(important) Is there firmware issues you should be aware of? Is the wifi router I am buying WPS vunerable?? Obviously you wouldn't want any of that junk and want a business class rack router with all the bells and whistles, but you would be surprised how many vulnerable consumer routers are out there that are being used in a business. Right here in my area there is a Hotel that was using WEP. Moreover, Does the core switch have a strong enough backplane to handle my needs? After the network is actually built, then from there do a security audit. Hire a someone to keep it going. :busy:


Edited by technonymous, 05 February 2014 - 10:57 PM.


#13 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 AM

Posted 08 February 2014 - 08:08 PM

oops typo above third, fourth, fifth vlan. You get the idea. :) Oh and I should add that you also want to get a good rackmount power supply for everyhting and probably uninterruptable power supply battery backup for critical systems if needed. Can even add in a generator. You can get as eleberate with it as you want. Again, this probably isn't in your case and that it depends on the network and how critical it is. Something like a hospital like enviroment everything is automatic with relay system and the Diesel engine generators fire up to provide all the power they need. Also, a poweredge server probably cost 2k.


Edited by technonymous, 08 February 2014 - 09:55 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users