I joined a new company (a medium-sized film post production house) back in April and I've steadily taken more and more responsibility for the company IT as I've realised how badly things are set up.
Main points:
This is the current network layout, which was cobbled together by the previous technical manager (albeit with a new gigabit switch):
The 'DMZ' is in quotes because it's off a 'DMZ' port on the Draytek, which AFAIK just means all ports are forwarded and firewall is non-operational. The draytek also only has 100BaseTX ports, so Private to DMZ transfers are slow.
For some reason only one of the Aspera servers is on the 'DMZ' and only that one has a dedicated IP in our IP range.
My knowledge of network planning is pretty poor, but this is the structure I've come up with:
Couple of questions:
Phew, that was the longest thread I've written so far. Apologies for the enthusiasm - I'm just getting in to this proper networking lark and it's actually quite good fun
All suggestions welcome and encouraged!
Main points:
- 10/10mbps leased line (BTNET) fibre to the exchange.
- We own the wan IP range x.x.x.160 to x.x.x.167
- 2 Aspera Digidelivery servers: one for TX, one for RX (don't ask, not my choice)
- 1 Smartjog server (TX only, RX via DVB satellite on roof)
- 1 FTP server (for trivial files)
- A whole load of edit-suite and theatre Apple Macs and admin PCs.
This is the current network layout, which was cobbled together by the previous technical manager (albeit with a new gigabit switch):
The 'DMZ' is in quotes because it's off a 'DMZ' port on the Draytek, which AFAIK just means all ports are forwarded and firewall is non-operational. The draytek also only has 100BaseTX ports, so Private to DMZ transfers are slow.
For some reason only one of the Aspera servers is on the 'DMZ' and only that one has a dedicated IP in our IP range.
My knowledge of network planning is pretty poor, but this is the structure I've come up with:
Couple of questions:
- Some of the private LAN machines (Macs in the edit suites and theatres) need to access the FTP, Aspera and Smartjog servers to send and receive files to/from clients. Would this constant access of DMZ machines by private IPs defeat the point of having a DMZ?
- I'm planning to set up a company DNS server as recommended in the last thread I posted on here, where in my new layout above would that be situated? DMZ with port 53 open on the firewall?
- What's the best way of implementing the DMZ->LAN firewall? (Bearing in mind it needs to have gigabit throughput). Dedicated gigabit appliances are very expensive, but an old server on ebay with 2xGbE ports seems overkill. Which leads me to:
- Is it possible to provide the DMZ->LAN firewall _and_ a DNS server on the same server? (To save space, heat, energy and money)
Phew, that was the longest thread I've written so far. Apologies for the enthusiasm - I'm just getting in to this proper networking lark and it's actually quite good fun
All suggestions welcome and encouraged!
