Network redesign

[Alex <alex.tsr () gmail com>]

Hello list,

The company I work is going for a major network redesign. We're moving
from a single, large and hard to manage network (don't ask why it came
to that...) to multiple vlans. The network consists of about 2000 PC's
and 30 servers (including apache's, exchange, my- and ms-sql, terminal
services and so on). Since this is gonna be a lot of work to be done
(and not gonna be done a second time) we're spending a lot of time in
designing.

Now to the point. 
* There is the rule of thumb saying "Don't let connections go out of the
DMZ", but what about the SQL server that needs to be accessed from a web
server in a DMZ? Do we put it the same DMZ, in another one or maybe in a
vlan in the main network. 
* What happens when the boss comes in and says "We need this private web
or terminal server in this vlan to be accessed from the outside"
* Where is the best place to put our internal network and/or host IDS,
security scanner and the likes (nothing like that exists right now :/ )

In a few words how do we design our vlans and DMZ for increasing
security but maintaining some flexibility too. What would your Ideal
network be like, concerning these issues?

Any tips, sources and reading material in general are most welcomed.
Thanx, in advance.


Cheers, Alex.