I recently faced an interview question about setting up intranet and extranet access for a server. The interviewer asked how to allow a server to be accessible only within the network while also having authenticated access for users from outside the network. I mentioned using a VPN for external access and a firewall to block incoming traffic from outside, but I struggled to elaborate further.
I wasn't sure if I should block incoming or outgoing traffic on the firewall, and I was confused about maintaining firewall uptime—like whether to use a software or hardware firewall, or if an OS-level firewall would suffice. I've also never set up a private company VPN before, so the whole thing felt overwhelming given my lack of real-world experience. Any insights on this topic would be super helpful!
5 Answers
Many companies put all services behind a zero trust SSO framework. If you want to strictly control access to your intranet, only expose it so it can be accessed internally or through a VPN that's correctly routed to your internal network.
Your initial answer was on the right track, but only from the user's perspective. To set this up technically, you’d link your external network (the internet) to your internal network through a firewall. Essentially, it would look like this: Internet > external VLAN switch > firewall > internal VLAN switch > internal servers.
You can also create multiple internal VLANs to control traffic flow. For example, if you have two internal VLANs with different IP ranges, servers in one can’t communicate with servers in another without some firewall rules in place.
Understanding the physical and logical layout here is key!
Consider looking into 802.1x for network access control—especially if you’re dealing with enterprise solutions like Cisco’s Identity Services Engine (ISE), which can effectively manage access and improve security.
It really depends on the type of server and the access method. Intranet typically refers to web services accessed through a browser, which doesn’t necessarily require a VPN. You might just need to use IP-based access control lists (ACLs) on your web server. For SSH access, though, you shouldn’t allow unauthenticated connections even for internal users.
Building a home lab can be really beneficial! If you have an old PC, you can set up virtual machines to learn about IP networks and how to segment them. Create two separate networks with hosts and firewalls, then practice connecting them without NAT. Learn about routing tables and even dive into protocols like OSPF. Check out OPNSense for a solid firewall solution!
You might also want to explore Jeremy’s IT lab CCNA videos on YouTube. They’re free and using Packet Tracer for your labs can give you practical experience—definitely an accessible starting point!