I will be networking all the computers in my house when they are finished (still building them) and I would like to get some learned opinions on this layout. First the computers and their purposes

1. Internet access point computer. This is the box I am typing on right now. It's purpose is to surf the net, handle any iffy downloads and play some low speed games. It has nothing on it I care about so I am willing to put it at the head of the network facing the big bad internet. I have already had a spyware incident that caused my to do a clean install of windows and that is ok, that's this boxes task.

2. Wife's computer. This is for her general purpose uses, she will do everything on it; work stuff, media storage and net surfing. Obviously I want this one protected from threats, it's going to be hard enough to secure it once, it runs windows 2000 in Japanese and I don't read that stuff. The fact that she wants to surf the net on this box concerns me but she needs to. It will have the same security suite as the net computer; antirus , anti spyware and firewall.

3. Media server. This is currently under construction but when complete will archive every DVD, CD and hour of recorded TV I own. Protecting this box from hacks and viruses is paramount and my entire network is being built to share and protect the data on this machine. I do not want it connected to the net for anything other than software updates, the rest of it's life will be spent in my LAN behind dogs and barbed wire.

4. Garage computer. This computer will serve as a storage machine for data downloaded from my laptop during car tuning sessions and streaming music and movies from the media server. Again it will access the internet only to do software updates. Only this computer will be able to access the server, the other two computers in my network will have no reason to access it. Being as it will be intimately connected to the server I want this one as beefed up as the big money box lest it serve as a back-door into my server.

My plans include purchasing two firewall routers. Here is where my head is at, please let me know if I am on the right track or if someone has a more secure design. The prize is the server, the Garage box is next in order of importance then the wife's computer and finally the net computer.


I would like to put a firewall router at the door and hide the net box behind it. I would like to route the wife's box and my inner network through the net box.

question, can I install two LAN cards in the net box for clients, one for the wife's computer and one for the inner network?

I ask because I would like to place another firewall router behind the net box and then a hub. To the hub I would like to connect the media server and garage box. My intention is to have the two operate on this inner network hidden behind three firewalls (I also have a software firewall on the net box) I know I seem paranoid because I am!

question, do I gain any security by putting a hub behind the firewall router or is it basically the same as using the router as the firewall and the hub?

I am new to this stuff but on paper it looks doable and pretty armored. thoughts?

If you get something like that running please share how.

I personally have never seen a network like that, each computer (if connected to the network) shares the same vaulnerability as the next one. There is no specefic order in the network. You might be able to have two networks running, one for internet access and the other for your network. The computers you dont want to have access to the net then turn that network off, and leave the other one. And vise verses for your network.

I suggest having two different networks but, if one of your computers gets hit with a virus then when you switch networks it will just spread to the rest of the computers. If you really want your media rig to be secure run linux. That is your best bet.

But again I'm not a network expert I have just run my fair share of networks. Again if there is a way to do this I would love to know, I personally dont know how to.

I am going to try Suse Linux pro 9.2, if I like it I will run it on the two computers on the inner network along with different software solutions for antivirus and firewall than the computers on the outer network which will run Microsoft and another vendors security suites. My reasoning being if a hacker manages to penetrate my first router, then my software firewall on my first box he would be presented with another router to crack before being confronted with an inner network running a completely different set of security and OS solutions. I ain't the sharpest knife in the drawer but unless I got the NSA coming to get me I am pretty confident the chump will trip an alarm and I will notice something is up.

The first computer is to operate as my internet host with all connections routing through it. I have seen people do this in place of a router. I will have a firewall router too but it will be connected to this host computer.

I had a Korean IP banging on my firewall while I was writing this, between them and China 90% of my worries come from there and I want them bastards to stay out.

I wouldn't make it all so complicated.

WIth a tried and true router that has a built-in hardware firewall, everything can and should be connected to it.
All you have to do is setup rules for certain programs other than the basics so they can access the internet.
Setup a personal firewall on the important computers if you are really worried, but I think even that is overkill.

As for the firewall alerts you've been getting, I wouldn't worry. Script kiddies and nub exploiters at best.

Internet-> Modem-> Router/Firewall-> All of the computers.

yeah I know, it just annoys me. I expect it to be all quite on the western ethernet port when I get the firewall router in front of my box. I am known for overkill, it's my signature. I had six point roll cage, Skyline GT-R brakes and a huge oil cooler on a 150HP silvia, silly some would say but not anyone who has ever ridden with me.
The one time my defenses failed it was from within, the wetware, I opened an infected file and it wiped my firewall block list out screwed up my registry and tried to broadcast. Firewall caught it on the way out and alerted me. I just enjoy putting a $100.00 lock on a box with $10.00 in it.

I did a diagram in an early version of Notepad

Attached Thumbnails

 

u dont need the second router that leads to garage and media pc... and switches are better then hubs

Quote: Originally Posted by CLowN u dont need the second router that leads to garage and media pc... and switches are better then hubs

It's right on the border of the inner network.
Is the use of the hub or switch after the inner router any better than just hooking the two inner network computers directly to the inner network router in you opinion?

It depends on the physical layout of your house and the plans for growth. If you don't plan on adding any pc's any time soon I would just plug everything into the same router/switch. Also, looking at that picture again, if you plan on going router firewall pc you would need a switch that would go after the firewall pc, so you can connect stuff to it, unless you plan on puttting a few network cards in it.

Personally I would put a switch in the garadge just incase i ever need to plug in another pc or a laptop or something, so you dont have to run a cable from the switch/router/network card after the firewall pc/ in firewall pc.

I was just going to put a pair of lan cards in the firewall computer, I have three empty PCI slots and the computer is using on-board ethernet for it's own connection.
The network could possibly expand to include a work computer for me.