Recommendation for network setup.

[Dug]

Here's the setup and what we have.
There are 3 of us all finishing up our MSCE training at school. So we have some knowledge, but still very limited.

We are setting up a network for vetrans so they have access to the Internet, fax, training videos, resume makers, etc.
Most of the equipment has been donated and consists of 15 computers running Win2k.

We have 2 fairly fast computers to do with as we want and a copy of Win2k server.
We have cable connection and a Sonicwall firewall.

We don't really need 2kserver, but would like to implement it for ease of administration by creating group policies.
(There will be a lot of people in and out to use the computers)

Although there is nothing critical on our network we would like to lock it down as tight as possible so we are not running around putting out fires.

Any advice is appreciated. Especially initial setup and any tips or tricks anyone might think of, including physical setup.

We still haven't decided how to use the two computers we have. (ie- one for Win2k server, one for a Linux firewall or proxy perhaps.)
Or maybe something like TinyPersonal Firewall. Our cable connection is on the same node as the College, so I'm sure we'll have an abundance of attacks.

 

[bignick]

well if you are going to use windows 2000 with active directory, i would have more than one domain controller.

you say you have a sonicwall firewall device, so why would you use linux for firewalling?

you said your internet connection is on the same node as the school's internet. do you mean that you are connecting to the school's network, then using the school's internet connection, or do you have a completely separate connection to the internet? the reason i'm asking about the internet connection, is that with windows 2000 server and active directory you could authenicate your users from the user database that the school maintains (if they have one). for instance, if every user at the school get's an e-mail/dialup account, you could authenicate against that. this way you don't have to maintain a separate user database. also users only have to know one username/password, instead of several. it's a win-win solution.

i would only use a proxy if you think you'll really need to cache content. the sonic firewall should allow you to set priority based on traffic. like give a priority of 1 to e-mail, & web, and give a priority of 3 to ftp,napster, morpeheus, etc. This way those who are doing the normal internet type stuff (e-mail, web) will not suffer because some users are downloading all sorts of mp3's or movies.

for the physical network, make sure to have everything certified to cat5/cat5e spec when it's installed. only user high quality patch cables, don't make your own, buy them, it's worth it in the long run.

hope this helps.

 

[Dug]

Maybe I phrased that wrong. We have our own connection seperate from the school. But the cable connections are shared. Meaning one line out to an area and then branched off.

We'll have a seperate user account than the school. A lot of the people utilizing the facility won't be school students, just vets.

The reason I mentioned another firewall or proxy is for more protection than what the sonic wall will provide. But I'm not sure if its necessary, or if it will really help.

The clients are already hooked up and have been tested to work.
We will set up a policy so no one can download anything.

Its just a matter of setting up the server so it and the clients are protected.

 

[watts3000]

I would simply use the sonic wall for my firewall. I would than use a proxy something like isa this will allow you to perform quailty of service task. Basically like bignick said give high priorty to someone doing normal stuff vs someone downloading video and mp3's. I than would set up a domain controller and create my user accounts and go from there. One domain controller should have know problem authenticating 15 users. Than again you might want to also think about a a hardware raid setup using mirroring to protect the doman controller. Or simply setup a backup domain controller.

 

[Dug]

Do you think its better just to have a software firewall residing on the server, like TPF or Zonealarm and skip the proxy all together?

Or if we do use some sort of proxy software, where should that reside? On the server or on a seperate machine?

 

[nihil]

<< Do you think its better just to have a software firewall residing on the server, like TPF or Zonealarm and skip the proxy all together?

Or if we do use some sort of proxy software, where should that reside? On the server or on a seperate machine? >>



heheh....you're the MSCE, right? why don't you tell us how to build the network?

 

[Dug]

<< heheh....you're the MSCE, right? why don't you tell us how to build the network? >>


No I'm not an MCSE. We have just taken the core classes.
Which basically only gives an overview of what the software can do-
It does not tell you what is best in any given circumstance.
And of course there is no mention of using third party software.

Yes we have no problem setting this up and making this work. But we are looking for advice so we are more secure. Plus we are not going to be there for that long. And the people that will run it after we're gone, probably will have as much or less experience than we do. This is mostly all voluntary work, that's why. We don't want to leave a network open for attack for the next guy, who probably won't know how to rebuild the system if it does get shut down.

But thanks for your input anyway nihil.

 

[nihil]

<<

<< heheh....you're the MSCE, right? why don't you tell us how to build the network? >>


No I'm not an MCSE. We have just taken the core classes.
Which basically only gives an overview of what the software can do-
It does not tell you what is best in any given circumstance.
And of course there is no mention of using third party software.

Yes we have no problem setting this up and making this work. But we are looking for advice so we are more secure. Plus we are not going to be there for that long. And the people that will run it after we're gone, probably will have as much or less experience than we do. This is mostly all voluntary work, that's why. We don't want to leave a network open for attack for the next guy, who probably won't know how to rebuild the system if it does get shut down.

But thanks for your input anyway nihil. >>



yeah, i'm just being sarcastic. don't mind me.