Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 198
  • Last Modified:

Firewall and Exchange Question

We currently have a LAN connected to the internet through a Cisco Router running NAT.  One of our servers, basically the main one, is running Exchange as well as File and Print Services.

We have NO firewall and need one desparately.  Because our ISP has an MX record for our server it is wide open on the internet.  

We are interested in getting a firewall, any recommendations?  Good time to get a proxy server/firewall at this time?

The only thing coming inside would need to be email from the outside, how would we set this up on the firewall?  Just open a certain port?  Which one?
0
jbiggs19
Asked:
jbiggs19
  • 3
  • 2
  • 2
  • +9
1 Solution
 
geoffrynCommented:
I like the Cisco PIX as a nice fast hardware solution.  If you want more features then Checkpoint FW-1 is a good firewall.  It sounds like you could get away with the lower end PIX and save yourself some money.  If all you need inbound is internet mail, the only port you need to open is 25(SMTP).  If you want people to be able to check their mail from the outside via POP3 or Outlook Web Access, you will need to open 110(POP3) and/or 80(HTTP).
0
 
lrmooreCommented:
I agree with geoffryn and I like the PIX.
Depending on your budget, you may be able to upgrade your router with the Firewall IOS for less money and accomplish much the same thing.
However, if budget allows, there is an old saying -
"let routers route and firewalls be the firewall". putting too many tasks onto the router bogs it down, but for small offices it may be the perfect solution.

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pix_pa.htm
http://www.cisco.com/univercd/cc/td/doc/pcat/iofwfts1.htm

Just to re-state what geoffyn said about ports:

smtp - TCP port 25 - must be open both ways for the server to send and to receive.

If you have roving users that access their email from home or travel, open TCP port 110 for POP3, TCP port 443 for SSL, and if you use the web-based access, TCP port 80..

0
 
chris_calabreseCommented:
Might also check out the low-end netscreen's.  They're pretty inexpensive, easy to configure, and fast.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
HousenetCommented:
I agree with chris_calabrese, Netscreen is faster , much much easier to configure... All you'd need to do is setup inbound smtp... port 25. I suggest a NS-5 elite. (Elite meaning unlimitted users). There is no advantage & several disadvantages between Pix & netscreen..
0
 
RUSTLERCommented:
I've been working with the Cisco PIX 515-UR,520-UR, FO firewalls and there pretty easy to set up...CISCO has a low end unit 506(handles 5 VPN sessions) to a beefy 512MB PIX 535...
0
 
AlfaisalCommented:
well i didnt work with the PIX and i dont know how fast is it, but i am working with Biodata BIGfire+, real peace of cack with its management software, and no butel nick and you can connect your mail server to Admin port and control the trafic to it.
and the price is resnable.....
http://www.biodata.com/us/products/bigfire/
0
 
jbiggs19Author Commented:
Currently we have an existing Cisco 2514 router performing NAT, we might just upgrade the IOS on this to the firewall version.
0
 
geoffrynCommented:
Make sure that your have enough RAM on the router,  The IOS firewall can really bang on the CPU and memory.
0
 
jwalsh88Commented:
Yeah I would not recommend upgrading the Cisco 2514 to the IOS firewall version.  Unless you want to pay more in memory upgrades then it would cost to get a small simple firewall.  I would look into something like the Watchgaurd Firebox 50.  It's about $700 unless you have less then 25 or even 10 users,  Then the cost for a hardware based firewall would be either $500 or $300 dollars respectively.  In case you didn't guess the Firebox 50 allows for 50 users.

I like the PIX more but even the bottom of the line PIX is still 1500.00
0
 
SunBowCommented:
To round out choice_list, Microsoft for IIS now has this:

Microsoft Internet Security and Acceleration Server 2000 (ISA) Technical Overview
http://www.microsoft.com/TechNet/isa/isatecov.asp

Ports as above, unless you want more like ftp, open as needed.
0
 
Shoeb_786Commented:
Cisco PIX is good in your situation
0
 
RUSTLERCommented:
I recommend the PIX 516..
You set up a nat pool,let say 10.2.X.X/16 on your firewall.Then create a static entry to associate the real ip to IP internally. Finally open the ports required for pop and smtp by using access-list commands with pix 5.0 version or higher or conduit commands such as...
static (inside,outside) 206.189.16.30 10.2.1.30 netmask 255.255.255.255 0 0
conduit permit tcp host 206.189.16.30 eq smtp any
conduit permit tcp host 206.189.16.30 eq pop3 any
0
 
lrmooreCommented:
This question appears to be abandoned. I will allow one week before I close this

question with the following recommendation:

I recommend splitting  rejecting RUSTLER's proposed answer and awarding points to each
20 to geoffryn
20 to lrmoore
20 to jwalsh88
20 to sunbow
20 to alfaisal

if there is any objection to this recommendation then please post in here within

7 days.

thanks,

lrmoore
EE Cleanup Volunteer
---------------------
0
 
lrmooreCommented:
That much point split not a good idea. PAQ.
0
 
NetminderCommented:
Per recommendation, points NOT refunded and question closed.

Netminder
EE Admin
0
 
zenlion420Commented:
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts forfeited.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor

..................................again :)
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

  • 3
  • 2
  • 2
  • +9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now