Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 892
  • Last Modified:

Firewall/Proxy

We are considering upgrading to Small Business Server.  It has proxy, which I am gathering it is a firewall. I am looking to implement a network security solution. Can some clear up for me what is the difference between Proxy and a hardware firewall. and suggest which will be a better choice. Let me give you a breakdown of what we have.

1  Win 2k server with exchange 2k
10 Win 2k pro
2  Win 98

We use outlook Web Access.  
We do not host web, ftp or any thing else.

Should we 1st invest in a server and put Exchange on it, and still give it a public IP so we can access OWA ( OWA is accessed through dynamic ISP IPs). Then install the DC on an internal IP to protect data.  

Or should we just go ahead and invest in Small Business Server, and Proxy will do the job.


Our goal is to protect data, while allowing OWA, and Terminal server capabilities (administrative for now and possibly applications in the near future).
0
sjs
Asked:
sjs
  • 2
  • 2
  • 2
  • +5
1 Solution
 
ChapoCommented:
A proxy server is a server that sits between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.

A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Most firewalls also have the capability to provide proxy services.

You could use SBS to provide proxy services but I would definately not recommend it for firewall services.  

For a firewall you could go out and purchase a hardware firewall or use FreeBSD on an old PC.  FreeBSD has a very good filewall implementation and the software is free.

Good luck.
0
 
NenadicCommented:
Chapo's solution is good, as long as you have FreeBSD skills. A hardware firewall is an overkill and I doubt there is a budget for it.

Since you are using Windows 2000, you can implement ISA (Internet Security and Acceleration) Server. It is based on Checkpoint-1 firewall which is a de facto industry standard. It also incorporates proxy services nad integrates comlpetely with W2K.
0
 
Droby10Commented:
from the standpoint of internally sourced requests, the functional differences between a proxy and firewall are as follows....

[proxy]
a proxy will act on behalf of the client...
  - ie. a client makes request to proxy, proxy makes outbound request, proxy returns results to client.

there is generally a secondary protocol or application protocol extension that is used for secure transmission between the client and the proxy (and possibly the proxy and the next proxy,...,...)

[firewalls]

a firewall will forward/route/[translate] packets...
  - ie. client makes outbound request, traffic flows through firewall's inbound and outbound tcp/ip stack where each packet is subject to the rules, if the traffic is allowed then the firewall will forward the traffic to the next hop.  when response traffic comes back this process is in reverse.

this can be hardware -or- software.
  - [hardware] shasta, nokia ip*** (which really runs checkpoint, so it's a toss-up)
  - [software] ipfw/ipfilter/checkpoint/etc.

[which one's better?]
depends on organizational structure, size, and the support availability for each of the options being evaluated both internally and from the vendor.  while it's a general consensus that proxys provide more security (in the form of application-level security, instead of network-level security), i'm personally a fan of firewalls.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
Droby10Commented:
the best answer i can give is setup a dmz.
yes, you may only be providing a single service in the way of exchange...but it sounds like you could be expanding that at some point...it will also save you heartache when a get-by solution causes complete compromise of your systems.
0
 
geoffrynCommented:
Nenadic, What makes you think that ISA is based on FW-1?
0
 
emery_kCommented:
You could use some kind of a Hardware router/firewall with the server as a DMZ and let the router do NAT to firewall the rest of the boxes. I assume you just want Internet access for the users. LInksys, Netgear, Asante make low end routers or look at Cisco
0
 
DanRCommented:
MS Proxy includes packet filtering, which makes it a firewall.  I don't know if Microsoft would be my first choice for a security product, though.

You could run proxy, Exchange, etc. all on one server, but even Microsoft doesn't recommend that.

What I have done (on MS's recommendation) is set up Proxy on one machine, either PDC of its own domain or a member server (not DC) of your existing domain.  Then harden it by disabling unnecessary services (OK, everyone, stop laughing at the idea of "hardened" Windows).  Put the Exchange server behind it, and use reverse hosting to have the Proxy server pass traffic to it.

To enable the Exchange server to exchange mail with the Internet, you'll also have to do server proxying: install WinSock Proxy Client on it and do a little configuration as outlined in
http://www.windowsitlibrary.com/Content/272/2.html

But if you're using Win2k, then as mentioned above, ISA might be a better option.  I haven't used ISA, so I can't comment on it.  My understanding is that it's just an upgraded Proxy, so the configuration ought to be similar.

For security and stability reasons, I wouldn't run anything but Proxy on my proxy server if at all possible.

For such a small network, how about a Cobalt Qube?  It has a basic proxy on it....
0
 
geoffrynCommented:
Actually ISA is now a full fledged stateful firewall with some application proxies.  It performs pretty well, but if you don't need Active Directory integration I would probably opt for a hardware solution like SonicWall or Watchguard.  They are easier to configure and trouble shoot.
0
 
PUB_ULCommented:
If you want to have the best firewall, go into Linux!
Else, just use a simple router (hardware).
0
 
DanRCommented:
No matter how you slice it, you should have your proxy/firewall on a separate device.  So I'll second geoffryn's comment; your life will be easier if that device is an appliance instead of a Windows server.  And it might be more secure....
0
 
bseamanCommented:
First, do not "upgrade" to sbs.  This product is notorious for it's problems and has been since it's inception.  Linux isn't a good firewall choice as most people don't know how to configure it and it may be hard to get support.  I suggest a hardware device.  There are many soho devices on the market that may be good for you.  I sell mostly the cisco pix.  The 506 model is less money than a pc and is dummy proof.  It will translate for your exchange web box and will protect your entire network.  Do NOT put exchange on the public network.  It will be most likely hacked in hours unless you know how to secure it and then it's still not too secure.  Remember that although proxy does offer some protection, it was developed to speed up internet access via caching for shops with slow links.  In my experience most software firewalls are more expensive and harder to work with than a dedicated firewall device.  The checkpoint is great if you have an extra server and 10 grand.  I have heard good things about the sonic wall devices although I'm no expert on them.  I have done what your asking with the pix for dozens of clients, but I'm sure that most sub 1500$ devices would do the same thing.
Hope this helps.
Bob
0
 
emery_kCommented:
I agree with bseaman. I am running Linux for Apache, ftp, and am setting up email. I have multiple Virtual Hosts set up. I had linux running as a firewall then realized that a hardware device meant the network stayed up as I was restarting the Linux Box. If linux was the firewall it put a lot more heat on me to keep it up 24/7 while I was learning. I've used Linksys, Netgear, and Asante routers for DSL and been pretty pleased (the $100-$200 price tag is pretty painless). Most have the option of setting up one internal IP address as a DMZ where that computer appears from the internet side is exposed. Then you have NAT for the rest plus you can forward specific ports to specific computers. I've considered going with a higher end router but am not sure what the differences would be nor the costs.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 2
  • 2
  • 2
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now