One of the key concepts of TCP/IP networks is subnetting. In this video, you’ll learn why we subnet our networks and you’ll see a network design that incorporates separate IP subnets.
<< Previous Video: DMZNext: VLANs >>
When you’re looking at the network design from a networking perspective, you’re trying to maximize the number of people that you can have on a subnet. You want to get the right subnet masking. You’re concerned about routing tables within a router.
But from a security perspective, you really want to limit access to resources in the network to only the people who need access to those resources, or you need to make sure that a particular section of the network is more secure than another section of the network.
That’s a perfectly good reason, and absolutely a valid reason from a security perspective, to subnet the network– have a segmentation of different devices out there– and then use our router, or even better, a firewall, to route between those different sections of the network. And each one of those subnets would be a world unto itself. And if you ever needed to leave that subnet for some reason, we’re going to make sure we examine that traffic and make sure nothing odd is going on.
You’re essentially creating a bit of a barrier between the trusted devices on a subnet and something that may be outside the subnet. Now, obviously, there may be subnets that everybody has to talk to. You may have a subnet for your servers.
You may have a subnet for your internal mail servers, for instance. Everybody has to get their mail. So all of those users will be going through your firewall to be able to access that mail server. It’s a natural way to keep everybody on their local subnets, but still allow access to those resources that they need.
We might also think about grouping these resources together. The HR department might be on one subnet. The shipping and receiving department might be on another subnet. You might have your executive team on their own subnet. And that way, you can keep any resources or devices that are local to those teams on that subnet. They’re local. There’s no restrictions to that particular resource. And they have direct access to it. Usually, you get better performance that way as well.
When you’re thinking about setting up your subnets on your network, you’re really doing it in different ways. You usually have a router right in the middle, or a firewall that is providing a Layer 3 routing function, and it is separating out your network. And everybody who’s flowing through the network has to go through that single device.
In many cases, there are multiple devices there for redundancy because as you can see in this diagram, if this is our home office here, everybody has to go through this link. So it has to be a high performance device. It’s a device that has to have redundancy. But as long as we can connect all of our subnets this way, we can make sure that they’re secure. We can make sure that there’s control. And we can make sure that everybody has access to the resources they need.
The subnets also– out on the internet side, there’s going to be other subnets out there. And since they’re coming through our internet link, that’s just another subnet to the world that we’ll be able to set policies on and make sure we have the right security set up to the traffic that’s going in and out of the internet.