Kyrle Nelson: Projects, Network Overkill
Since my network contains this website, an internet accessable file server, and my email server, I will not be able to fully detail all of the facts of this network project for security reasons (the more a 'hacker' knows about a network, the easier it is to access). That being said, I can generalize and provide some details so you can at least understand the basics. As the title implies, my network is far beyond what I (or any home user for that matter) need. Realisticly, I could have set everything up with less than half of the equipment and almost none of the advanced setup, but I'm not doing this because I need to. I simply wanted to.
Physically, my network consists of a well known name brand hardware firewall, a high end standard home router (configured as an access point), three hardware servers, three clients, and a microcell. The three hardware servers run: two inter-linked file servers, a media server, a web server, an email server with webmail access, an FTP server, an SQL server, a DNS server, an Active Directory server, and a domain controller. The Clients are pretty simple, a desktop computer acting as a home theater PC, a gaming laptop, and an old laptop that controls my lab.
As for the software and configuration side, well, thats getting into a bit too much detail, but again, I can generalize. Of the servers, only one is running a full fledged server operating system. The rest, as well as all of the clients are running regular user type operating systems. The hardware firewall is setup to be restrictive as possible and still allow the access I need. EVERYTHING gets blocked unless I specifically set the traffic to be allowed. It's a bit more restrictive than I need, especially on the outgoing side, but I see that as an extra security feature. If somehow someone does 'break-in' to my network or bypass my inbound security, the restrictions on the outbound side help prevent the breach from communicating outside my network unless the traffic happens to be on a port I have prevously opened for my own uses. The only downside is that when ever I install new software or equipment that needs a port not currently open, I have to access the firewall and make changes. It's a price I happily pay for the little bit of extra security.
Currently, the network is completely setup, secure, and working, however, that does not mean it is finished. The next steps involve integration. I plan to integrate as much authentication as possible into Active Directory. After that, I am sure I'll find something else to tweak...