we have the need to re-segment our network to impose better security and control over traffic, etc. Currently we are using a "Screened Subnet" firewall topology with a single firewall and multiple interfaces. Currently we have our public services servers out in front of the firewall completely, so they are totally exposed to the public internet with absolutely no control. Everything else is running inside the firewall on the same subnet, including all servers, workstations etc. This is obviously not the ideal setup, but this is how it was engineered back when the company was much smaller, and it hasn't really adapted well to the company's growth over the years.
We now have the need to better secure a group of workstations since they deal with our customers sensitive information. We want to design the network in such a way that that group is as locked down as tightly as possible, yet still maintain connectivity with our Active Directory setup for user authentication/permissions as well as keep access to several of the servers running on our intranet. This group of workstations needs access to the internet.
Basically We are thinking of using 4 networks, 1 for server network, regular workstation network, secure workstation network, and DMZ for public servers.
--Firewall 1 --DMZ with Public Servers --
--Firewall 2 -- Server Network, Workstations Network --
--Firewall 3 -- Secure Workstation Network
our firewall has extra available interfaces so we could use it to run all the networks at once... but i'm not sure if this is ideal.
--Firewall --DMZ, Servers, Workstations, Secure Workstations (different Vlan and different subnet)
Would it be best to use Vlan's and different subnets on all networks to separate Broadcast domains as well?
How best should setup/place this network? We have the ability to use multiple firewall solutions (using something like PFSense or Smoothwall, etc).
Also, were would be the best locations to place IDPS/sniffers to monitor our traffic... obviously sniff the traffic coming into the firewall from the internet, but should we also sniff each of the networks internally?
So basically we need to maintain AD services, intranet services, internet services, and all at the same time limit the vulnerability of the secure workstations in the event someone broke into the network. And we need to resegment the rest of our network to keep someone who breaks in from having a field day all over everything, but instead be stuck in whatever subnetted network they got into...