Believe it or not, this is the easy part. There aren’t that many physical components that make up a small business network, and acquiring all of them should be both easy and fast. First, let’s start with a diagram (click to enlarge), and we’ll drill into each piece in more detail.
So, basically your internet service provider (ISP) is going to give you a public IP address so that you can connect to the internet. Typically, an ISP will only assign you one IP. The internet is essentially just one huge network, and having an IP allows you to be in that network.
Yea, dude, you’re gonna need a firewall
Go to whatismyip.com and get your IP address. Copy and paste that IP address into your browser and see what you get. If you’re using a standard router, or are directly connected to the internet and are running a web host on your computer, you’ll see either your router’s login page or whatever content your computer publishes on port 80. The ramifications of your computer / server having an IP on the internet are that other computers can see you, just like you can see them. All those websites out there are just other computers (or clusters of computers).
A firewall is a device (either physical or virtual) that protects your computer / server from outside intrusion by filtering out what connections can be established. At the simplest level, this is done by opening and closing ports, and by deciding which IP ranges you will allow connections from. A good firewall setup will typically only allow connections on the ports that seem to have a good reason for being open. Some examples:
- Port 80 allows HTTP connections. This is how you browse the web
- Port 443 allows HTTPS connections. This is how you checkout securely in a website payment process
- Ports 22 and 21 allow for SSH and FTP, respectively, two ways of interacting with other computers (the former being total access, the second being file server access)
There are thousands of ports on a computer, many of them for unique processes you’ve never even heard of, some of them ready for you to assign a purpose to them. All of these ports give attackers MANY doorways to enter your network. Best practice is to only allow connection on the ports you need. Ports 80, 443, 22 and 21 would be pretty standard.
If you aren’t running a firewall – you are wide open. Once I get your IP address (and I could do that by scraping IPs from forums, or hell, even using nmap to try certain ranges and see who I can ping), if you aren’t running SOME type of firewall, I can own your bases. So make sure you include one in your network.
What your server does
Your server is probably the most important piece of your network. Beside the fact that it will be running all kind of software that your users need, it performs some very important functions just in keeping the network online. For example, your server can:
- Assign IP addresses to other machines on the network
- Share an internet connection and speed up your internet by circumventing your ISP’s DNS
- Provide an authentication mechanism for other machines on the network to use
- Facilitate cross-platform file and printer sharing
- Provide shared software to use across the network
Building your server
The great thing about Linux, derived from UNIX, is that it can run and perform fairly well on just about any hardware (you can even run UNIX on a gameboy, though I don’t recommend it here = )). You’ll be building what essentially boils down to a computer. Here’s what you’ll need:
- A motherboard
- A processor, heatsink and fan (the heatsink and fan that come with processors usually suck)
- A hard drive
- A motherboard
- At least 2 ethernet devices
- A case (housing) for all of this to sit in)
Once you get all the gear, assembly is pretty easy, and is well documented elsewhere. The main thing to ensure is that everything is compatible with everything else. For example, your motherboard will support a specific chipset, so you need to choose either a motherboard or a processor and then getting a matching component. RAM types supported and the size of your hard drive (the physical dimensions, ie 3.5 inch or 2.5 inch) can vary too, so just make sure everything matches up.
Keep a backup!
Obviously, your server is your network’s lynchpin – and if it goes down it is really bad news…so make sure you have a backup. Lightning, hacking, or random hardware failure – you have to be prepared for it all.
I recommend building a secondary, much cheaper machine that you can quickly replace the more powerful version with if you absolutely have to. You’ll want to keep a daily backup of your main server so you can easily load the image onto your backup system.
The 802.1x switch
I didn’t know about this either, and when I asked about RADIUS server on ServerFault, I got flogged by experienced server admins for not knowing. 802.1x is a protocol developed specifically for handling network authentication. You can read a really good 802.1x overview here.
Unfortunately, not all networking devices support 802.1x, so you need to get one that does support it. Managed 802.1x switches start at a few hundred dollars and can get really expensive. I bought a ZyXel GS2200-24 and am really happy with it so far.
You’ll need to read your switch’s manual as it relates to creating LANs, enabling AAA / radius (802.1x), and port authentication just to get a basic setup rolling, but it should be too tough.
The patch panel
This is just a way to keep from looking at a nasty nest of jumbled wires going into your switch. Basically, you wire cables directly to the back of your patch panel (instead of using an RJ45 and plugging them in). Then, you run a short cable (under 6 inches) from the patch panel to the switch, and you label each port on the patch panel. This makes it really easy to keep track of where each wire goes, and to enable easier termination and troubleshooting.
This does mean a lot of extra wiring work, but it should be worth it.
With 802.1x enabled Wi-Fi, you’ll be super secure as long as you don’t transmit passwords in clear text. Get a wireless router which supports 802.1x and deploy where you need a signal.
All the other machines that will connect to your networked components. Depending on the size and complexity of your network, you could have other servers, patch panels and switches at other points in your network. Imagine that this part can be very simple (just a few computers) or very complex (many switches, many wireless access points, and other servers which perform various functions).
I hope this gives you a good introduction to the physical components of the small business network I’ll be walking you through. Please feel free to ask me any questions you might have!