Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Firewall/router...what do I need?

Posted on 2003-04-01
Medium Priority
Last Modified: 2013-11-16
We have a small network with an NT server (IIS web server), W2k Server, a unix server and Lotus Notes email server.  We need to get something to protect us from things like codered, etc but we also want to be able to access these servers from outside for our developers.  We need something to protect us but we are not sure if we need a firewall or a router or both.  

Question by:JohnnieMiami

Accepted Solution

cwrea earned 200 total points
ID: 8247620
You should look at combination firewall & VPN appliances.  

The firewall part of such an appliance will help you secure your network from outsiders.  But that's not all you should be doing - good and updated antivirus, intrusion detection, and proactive patching are recommended as well.

The VPN (virtual private networking) part of the appliance will allow your developers to remotely establish a connection with your network so they can access internal network resources.  You may also want to investigate strong authentication mechanisms like a SecurID card so you know for sure only authorized developers are coming in through your VPN.

LVL 14

Expert Comment

ID: 8248313
Agreed. Though X.509 certificates or something like the Rainbow iKey is much more cost effective than SecurID these days.

Some makers of appropriate firewall/VPN devices are Netscreen, Cisco (the PIX line), and Sonicwall

Expert Comment

ID: 8248740
Well, I'm not familiar with your exact needs, but it's really a matter of the money you're willing to spend.
I recommend a good and solid FW+VPN(+NAT router) device that will enable you to control access, view the reports etc.
Your developers would be able to access the internal network via VPN and the rest of the world will only be able to access specific servers on specific protocols (via Protocol Address Translation for instance).
I personally own a SofaWare Safe@Office which is a very good, fairly priced appliance. It's extremly easy to manage, and it'll answer all your network needs. Your developers could have access to your internal network using Check Point's secure remote for instance into the Safe@Office VPN Server.

Expert Comment

ID: 8249961
There are many solutions and designs for the nature of your requirements.  Whatever you decide you should deploy a Defence-in-depth (DiD) solution that is easy to administer and cost effective.

Whether using a pentium class PC with multiple interfaces running a secure version of Linux and IPFilter firewall (see Seattle Seawall for secure solution - http://seawall.sourceforge.net/) or using one of the commercially available (and supportable) solutions such as NetScreen or SonicWall Firewalls (http://www.netscreen.com/main.html and http://www.sonicwall.com/), you should consider Demilitarization Zones (or DMZs) between the Internet and your corporate network.  A firewall on the outside of your NAT'd DMZ will handle web traffic (and can provide internet routing).  Then on a switched LAN you can lay out your bastioned servers (locked down running only services that are necessary) and then you place another firewall between your switched DMZ and your corporate LAN.

Logically it would look something like this:

==Corporate LAN==

The rules on the outside firewall will allow access to the DMZ server on a particular port and can route, NAT and provide port translation.

The rules on the internal Firewall can allow the server access to backend Database systems and autherntication servers on specified ports and allow your internal LAN access to the DMZ servers on particular ports.  This box can also run IDS such as SNORT to track any known attacks, trojans and worms and send alerts to your management systems that reside on your internal network (I have mine sent directly to my pager - fix the false positives before you do this :-)

I would suggest that you stay away from Windows-based systems to run as security servers (e.g. Firewalls and IDS) as there are a lot of worms and buffer exploits that are being discovered every moment for these platforms.

Finally, developers can access the systems via a number of secure methods such as SSL-based WebDav environemts, SSH and IPSEC that terminates directly on the outside Firewall.  Check out Linux FreeS/WAN (http://www.freeswan.org/intro.html) for more information on building a free VPN concentrator.

As you can tell, I like OpenSource solutions but this may not be the solution for you if you don't have the expertise on staff to support this.


Gary Freeman

Expert Comment

ID: 8277876
Consider looking into the Cisco Pix Firewall series.  Depening on the size and requirements of your network infrastructure, it sounds like you could probably get by with a relatively low-cost solution such as the Pix 506E or 515E.  The 515E is faster and provides DMZ capabilities.  Make sure to get the 3DES VPN upgrade & SMARTnet warranty contract.  They both are inexpensive addons.  The Pix is highly robust, offers granularized access to network resources, and VPN operates seamlessly.  It should be able to do pretty much whatever you need.  The Checkpoint platform is good also, but is pricey in comparison (especially support contract renewal), and is better suited to larger enterprises.



Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question