I have a head office and a number of suboffices. Both head office and suboffices need to access some corporate server, which is physically in the head office. But suboffices should not be able to access head office or each other. Suboffices are at the substantial distance of each other and from the head office (many kms).
How do I design the network for this task?
I suppose, each suboffice should have internet access. Central Server LAN switch should have static IP and OpenVPN software installed. For example, SubOffice1 network is 10.0.1.x, SubOffice2 10.0.2.x etc, Head office 10.254.x.x, Central Server LAN 192.168.0.x.
When suboffice PC or head office PC needs to access Central Server, a PC starts VPN connection for this to the central server.
I should then use routers for each network and setup firewall so that it permits connections from inside network only except for the Central Server LAN router.
Is this correct? May be there are some important details I should keep in mind building this network? What hardware would you recommend for this (routers, supporting needed firewalling modes etc)?
ADDED 07/05/2012:
Our ISP can provide nothing except for Internet access. I cannot expect them to support anything like MPLS. ISPs are different in each suboffice and head office.
The number of suboffices are like 20.
Connections from suboffices into the head office needs to be encrypted because it will be routed through internet.
I want suboffices to be isolated from head office and from each other completely so that no packet can travel there and back.
I plan to have only Linux PCs in the offices, but there can be also some Windows machines. No Active Directory or something. Just a PC under Windows/Linux.
Any good books out there on the subject?
Matt Simmons wrote a series of excellent articles for simple-talk that you may find instructive;
But first a few points on your design:
Good luck!
Update
You asked for a few books to get started with, I can offer you a few that deal directly with your problem here, and there are a few excellent books recommended elsewhere on serverfault that will help you in other ways as you need them.
More specifically I would recommend starting with the CISCO CCNA series of books. It seems like you've already been thrown into the deep end of the pool with such a large deployment. The Cisco Press CCNA ICND1 will address many of the fundamental topics you need to learn. You can also try the COMPTIA Network+ book as well. I have never read it but it will offer a few new perspectives not offered in the CCNA.
Pay particular attention to the OSI Model, especially the differences between Layers 1, 2, and 3.
Beyond that, I would begin to look for "white papers" and "best practices" for branch office deployments (there are a few you will see in the google search I posted previously). Sysadmin only really learn something by doing it, think of this as applied engineering. There are often equal measures of analytic thought and by the seat of your pants action.
Since you have 20 or more offices you will want to be able to centrally manage all of your services. You can start by calling around to different vendors and ask them for a solution (don't commit to anything on the phone! You can almost always ask for a better price, or extra equipment, or extra support, you are only buying 20 devices, but that's probably more than most). Also, don't believe 90% of what the vendor sales representative tells you, come back here and ask another question about the specific deployments you had in mind.
Once again, Good luck!
I really suggest going over this again. Switches are Layer 2 devices, and do not usually deal with IPs and especially not VPNs.
The best solution would be to have VPN enabled routers in each office, and then set up site-to-site vpn to the central office, and set up routing correctly. You can do this even with OpenVPN and PCs with multiple network cards if you have small networks.
Subnet numbering is not important, just don't overlap the networks. You will also need subnets for router-router connections (/30 is good enough), unless you use L2 vpn and bridge the routers to your central internal network.
For two offices, routing can be done manually.
I will avoid duplicating the good advice that's already been posted to this thread but I would like add a point of consideration. When designing a network to deal with branch offices a major consideration should be what level of separation is needed. Another way of looking at this issue is to consider that is what level of separation can be tolerated by applications.
These days most client <-> server / peer-to-peer applications are happy with a L3 separation (in different subnets) but there are still apps in use that expect the the peers to be in the same [multicast|subnet] broadcast domain or in some cases don't speak IP at all.
A L3 VPN or unencrypted tunnel (eg. GRE) between routers will administratively be the least amount of work and my advice would be to prefer this configuration if it meets your business requirements. However, it's important to consider what applications your network is required to support both now and in the immediate future. Sometimes a L2 VPN/tunnel will be needed. It's important to consider this issue early in the design process as it will have a major impact on equipment and/or software selection. Generally, L2 tunneling is not an option on older L3 equipment and often isn't available or current production low end models.
Also depending on what type of resources you need to access.
If files sharing - for a small company I would use dropbox or it's commercial equivalent jungledisc
Another option is using a MS Sharepoint Server - gives you option for an easy multi-site file collaboration.