Penguin

Numbering

Where possible, the highest valid IP in any range should be the default gateway*. So, to set your default gateway, take your broadcast address and subtract one on it, and try that.

This is why the default gateway on a /24 is normally .254.

* The alternative seems to be the other way around and uses the lowest IP in an address range as the gateway. ie. in a /24 network .1 is the gateway.

DHCP

Use DHCP to allocate IPs and configure services such as DNS to clients. Make sure that IPs allocated have ForwardLookups and ReverseLookups.

Firewalling

As much as I hate firewalling, adding firewalling on routers lets you partition your network up to prevent infections in one area from propagating into another. The usual partitioning scheme is to partition the network into internal, DMZ, and InterNet, but having more partitions can also help.

DeMilitarizedZone

If you have a network which has a mixture of workstations and publically-accessable servers, consider the use of a DMZ to physically separate "external" machines from "internal" ones. In the event that your webserver gets compromised, your accounting server (which should still be an "internal" one) is safe.

VirtualPrivateNetwork

When providing access to off-site users, such as people working from home, RoadWarriors, or remote branches, use a VPN to provide secure access to your internal servers.

When securing wireless networks, it is sensible to completely lock down the wlan so that the only permitted activity is to the VPN server. For wireless users to participate in the network they have to connect via your VPN first.

RFC1918

Please please please avoid the use of RFC1918, it breaks so much stuff. Never use it for anything that might ever be visible to the Internet, including a router in the middle of a network. See NetworkingNotes for details on it breaks.


Part of CategoryBestPractices