Hi, im looking to implement a new windows network next year and im looking for some ideas on the topology. Here is a list of equipment being used. Router, Security Gateway, Web Server, Database Server, Exchange Server, Storage Server, Application Server, AD Server, DNS + DHCP Server, Switches, Client Desktops. What would be the most secure and best possible setup? Sorry for being so vague but im only looking for some basic insight for now just to get a feel. Our current network is simple and doesnt have any incoming connections so this is new to me and security is obviously a major factor. Thanks in advance, Chris.

The security comes from what you actually do with the Application products,...not from the topology. The primary element in the topology will be to have or not have a DMZ. But having a DMZ does not make you secure,...and not having one does not mean you are insecure. I have went my entire career with no DMZ and have never have any "security problems",...ever. I have no current plans to ever run a DMZ Your security issues are going to come from social engineering where you users give someone their credentials (knowingly or unknowingly) then the intruder just logs in like any other user. The next weak area is going to be the Applications that you run where the Application either doesn't have proper security designed into it or you weaken it by not using it properly,..thereby allowing access to the data. In both of those cases the Topology means nothing. You also have to worry about data just being carried out of the building with Laptops, Smart Phones, USB Drives,...or just plain being E-mailed out to someone. In all of these,...Topology means nothing. You have to ask yourself which data on your system is important to the company and if you were not working for the company what would be the most logical and direct way to get the data you wanted. It is not going to be by "kicking down the front door" of the firewall,...that is just hollywood movies. Hollywood movies have done more to destroy any proper concepts what security is and how it works than anything on the planet,....then security articles on the Internet have been almost as bad. These links below may help a bit with understanding what you are really dealing with. I was particularly interested in the “De-perimeterization” article. But anyway there is a bunch material all in the same "Tree" when you go to those locations. The “De-perimeterization” of Networks http://technet.microsoft.com/en-us/library/cc512604.aspx Security Myths Part1 http://technet.microsoft.com/en-us/library/cc512582.aspx Security Myths Part2 http://technet.microsoft.com/en-us/library/cc512607.aspx Phil

You said: Our current network is simple and doesnt have any incoming connections so this is new to me and security is obviously a major factor. You may not realize it but that actually helps make you secure. The more complex the network,...the more opportunity for security flaws. Comparing that to a building,..it is much more easy to break into a building with doors, windows, sky-lights, ventilation systems, etc,...then it is to break into a simple solid built tool shed with no windows and only one door.

I don't know if these would be helpful or not. But here are some simple generic diagrams showign Topology designs. Note: These are pre-drawn generic diagrams,..they were not drawn spcifically for your situation. 1. With no DMZ ----------------------------------------------------------------------------------------------------------------------------- 2. With a Back-to-Back DMZ: -------------------------------------------------------------------------------------------------------------------------- 3. With a Tri-Homed DMZ. On this one the "New Segment" shown is the DMZ,...just delete the Router and the Cloud from the drawing and put a Switch in place of that Router. Now whatever plugs into that Switch is "in the DMZ". -------------------------------------------------------------------------------------------------------------------------- 4. Lastly, here is one with dual Firewalls but no DMZ. This is useful when some coplex application won't work with certain high-end "picky" firewalls,...it allows some machine to use a different firewall to keep the Applications happy.