Solved

Firewall/Proxy

Posted on 2001-06-06
12
870 Views
Last Modified: 2010-07-27
We are considering upgrading to Small Business Server.  It has proxy, which I am gathering it is a firewall. I am looking to implement a network security solution. Can some clear up for me what is the difference between Proxy and a hardware firewall. and suggest which will be a better choice. Let me give you a breakdown of what we have.

1  Win 2k server with exchange 2k
10 Win 2k pro
2  Win 98

We use outlook Web Access.  
We do not host web, ftp or any thing else.

Should we 1st invest in a server and put Exchange on it, and still give it a public IP so we can access OWA ( OWA is accessed through dynamic ISP IPs). Then install the DC on an internal IP to protect data.  

Or should we just go ahead and invest in Small Business Server, and Proxy will do the job.


Our goal is to protect data, while allowing OWA, and Terminal server capabilities (administrative for now and possibly applications in the near future).
0
Comment
Question by:sjs
  • 2
  • 2
  • 2
  • +5
12 Comments
 
LVL 1

Expert Comment

by:Chapo
ID: 6162517
A proxy server is a server that sits between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.

A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Most firewalls also have the capability to provide proxy services.

You could use SBS to provide proxy services but I would definately not recommend it for firewall services.  

For a firewall you could go out and purchase a hardware firewall or use FreeBSD on an old PC.  FreeBSD has a very good filewall implementation and the software is free.

Good luck.
0
 
LVL 12

Expert Comment

by:Nenadic
ID: 6163021
Chapo's solution is good, as long as you have FreeBSD skills. A hardware firewall is an overkill and I doubt there is a budget for it.

Since you are using Windows 2000, you can implement ISA (Internet Security and Acceleration) Server. It is based on Checkpoint-1 firewall which is a de facto industry standard. It also incorporates proxy services nad integrates comlpetely with W2K.
0
 
LVL 5

Accepted Solution

by:
Droby10 earned 100 total points
ID: 6163765
from the standpoint of internally sourced requests, the functional differences between a proxy and firewall are as follows....

[proxy]
a proxy will act on behalf of the client...
  - ie. a client makes request to proxy, proxy makes outbound request, proxy returns results to client.

there is generally a secondary protocol or application protocol extension that is used for secure transmission between the client and the proxy (and possibly the proxy and the next proxy,...,...)

[firewalls]

a firewall will forward/route/[translate] packets...
  - ie. client makes outbound request, traffic flows through firewall's inbound and outbound tcp/ip stack where each packet is subject to the rules, if the traffic is allowed then the firewall will forward the traffic to the next hop.  when response traffic comes back this process is in reverse.

this can be hardware -or- software.
  - [hardware] shasta, nokia ip*** (which really runs checkpoint, so it's a toss-up)
  - [software] ipfw/ipfilter/checkpoint/etc.

[which one's better?]
depends on organizational structure, size, and the support availability for each of the options being evaluated both internally and from the vendor.  while it's a general consensus that proxys provide more security (in the form of application-level security, instead of network-level security), i'm personally a fan of firewalls.
0
 
LVL 5

Expert Comment

by:Droby10
ID: 6163784
the best answer i can give is setup a dmz.
yes, you may only be providing a single service in the way of exchange...but it sounds like you could be expanding that at some point...it will also save you heartache when a get-by solution causes complete compromise of your systems.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6164191
Nenadic, What makes you think that ISA is based on FW-1?
0
 
LVL 1

Expert Comment

by:emery_k
ID: 6164827
You could use some kind of a Hardware router/firewall with the server as a DMZ and let the router do NAT to firewall the rest of the boxes. I assume you just want Internet access for the users. LInksys, Netgear, Asante make low end routers or look at Cisco
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Expert Comment

by:DanR
ID: 6165058
MS Proxy includes packet filtering, which makes it a firewall.  I don't know if Microsoft would be my first choice for a security product, though.

You could run proxy, Exchange, etc. all on one server, but even Microsoft doesn't recommend that.

What I have done (on MS's recommendation) is set up Proxy on one machine, either PDC of its own domain or a member server (not DC) of your existing domain.  Then harden it by disabling unnecessary services (OK, everyone, stop laughing at the idea of "hardened" Windows).  Put the Exchange server behind it, and use reverse hosting to have the Proxy server pass traffic to it.

To enable the Exchange server to exchange mail with the Internet, you'll also have to do server proxying: install WinSock Proxy Client on it and do a little configuration as outlined in
http://www.windowsitlibrary.com/Content/272/2.html

But if you're using Win2k, then as mentioned above, ISA might be a better option.  I haven't used ISA, so I can't comment on it.  My understanding is that it's just an upgraded Proxy, so the configuration ought to be similar.

For security and stability reasons, I wouldn't run anything but Proxy on my proxy server if at all possible.

For such a small network, how about a Cobalt Qube?  It has a basic proxy on it....
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6165109
Actually ISA is now a full fledged stateful firewall with some application proxies.  It performs pretty well, but if you don't need Active Directory integration I would probably opt for a hardware solution like SonicWall or Watchguard.  They are easier to configure and trouble shoot.
0
 
LVL 1

Expert Comment

by:PUB_UL
ID: 6168492
If you want to have the best firewall, go into Linux!
Else, just use a simple router (hardware).
0
 
LVL 3

Expert Comment

by:DanR
ID: 6168587
No matter how you slice it, you should have your proxy/firewall on a separate device.  So I'll second geoffryn's comment; your life will be easier if that device is an appliance instead of a Windows server.  And it might be more secure....
0
 

Expert Comment

by:bseaman
ID: 6236590
First, do not "upgrade" to sbs.  This product is notorious for it's problems and has been since it's inception.  Linux isn't a good firewall choice as most people don't know how to configure it and it may be hard to get support.  I suggest a hardware device.  There are many soho devices on the market that may be good for you.  I sell mostly the cisco pix.  The 506 model is less money than a pc and is dummy proof.  It will translate for your exchange web box and will protect your entire network.  Do NOT put exchange on the public network.  It will be most likely hacked in hours unless you know how to secure it and then it's still not too secure.  Remember that although proxy does offer some protection, it was developed to speed up internet access via caching for shops with slow links.  In my experience most software firewalls are more expensive and harder to work with than a dedicated firewall device.  The checkpoint is great if you have an extra server and 10 grand.  I have heard good things about the sonic wall devices although I'm no expert on them.  I have done what your asking with the pix for dozens of clients, but I'm sure that most sub 1500$ devices would do the same thing.
Hope this helps.
Bob
0
 
LVL 1

Expert Comment

by:emery_k
ID: 6237926
I agree with bseaman. I am running Linux for Apache, ftp, and am setting up email. I have multiple Virtual Hosts set up. I had linux running as a firewall then realized that a hardware device meant the network stayed up as I was restarting the Linux Box. If linux was the firewall it put a lot more heat on me to keep it up 24/7 while I was learning. I've used Linksys, Netgear, and Asante routers for DSL and been pretty pleased (the $100-$200 price tag is pretty painless). Most have the option of setting up one internal IP address as a DMZ where that computer appears from the internet side is exposed. Then you have NAT for the rest plus you can forward specific ports to specific computers. I've considered going with a higher end router but am not sure what the differences would be nor the costs.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now