This article describes the design and implementation of a small network with a split private/DMZ design that allows a high level of protection for its users while making some services available to the outside world. The design is easy to implement and administer, even for beginners, and can serve as a foundation for custom security installations.. . .
This article describes the design and implementation of a small network with a split private/DMZ design that allows a high level of protection for its users while making some services available to the outside world. The design is easy to implement and administer, even for beginners, and can serve as a foundation for custom security installations.

Our goal is to achieve maximum protection from attacks originating from outside of our network (insider attacks are a separate subject that I may get to in a separate article). At the same time, we do not want to spend a lot of money, which limits our options to open source or free software. This is not as bad as it sounds, because all major free operating systems contain high-quality network security software that can meet requirements of an enterprise client, let alone those of a small business or school network. Also, many of these free solutions are often incorporated into commercial products.

To keep things simple, I will assume that the network we are building will have just one connection to the Internet and that it will only have about a dozen or so internal users. Of course, you can always scale it up or down as you please, keeping in mind that you may need to use faster hardware, split the network into many smaller subnets to avoid bottlenecks, or even add more connection points to the outside world.