How should I isolate computers with different roles on a network

networking

Solution 1:

Consider using different VLANs for each role, and using a firewall to pass traffic between them. The firewall will, of course, be configured in such a way to only allow the appropriate traffic through.

Solution 2:

Split up the two networks completely and put a firewall between them (or just isolate the process network). There is no reason to expose process systems like that.

Once this is done you have to consider how to access the databases in the process part of the network. There are many solutions (port forwarding, SQL proxy etc) but my personal recommendation would be to setup a new SQL server, dual home it both in the process and the user network and replicate all the data users need access to to this host. Then make sure you lock down the SQL server as far as possible.

Solution 3:

If you don't wan't to start doing some fancy networking, you can do Private VLANs. Higher ends Cisco switches can do this.

Related

Problem with regsvr32 on Windows Server 2008
Which SQL Server edition?
nginx caching per user agent
MS Exchange -- running code against outbound email
Advantage of using Ubuntu Enterprise Cloud (UEC) compared to VMWare?
SMTP server, SPF records, domainkeys
What's been your company's biggest security leak?
slow software raid
Apache treating files with ".var[.]" in their names as type-maps
How do you find system manufacturer/model on Linux without root access?
Samba, Apache and SVN. Getting the permissions right
Hyper V network adapter configuration on parent partition