JohnnieMiami
asked on
Firewall/router...what do I need?
We have a small network with an NT server (IIS web server), W2k Server, a unix server and Lotus Notes email server. We need to get something to protect us from things like codered, etc but we also want to be able to access these servers from outside for our developers. We need something to protect us but we are not sure if we need a firewall or a router or both.
Thanks!
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well, I'm not familiar with your exact needs, but it's really a matter of the money you're willing to spend.
I recommend a good and solid FW+VPN(+NAT router) device that will enable you to control access, view the reports etc.
Your developers would be able to access the internal network via VPN and the rest of the world will only be able to access specific servers on specific protocols (via Protocol Address Translation for instance).
I personally own a SofaWare Safe@Office which is a very good, fairly priced appliance. It's extremly easy to manage, and it'll answer all your network needs. Your developers could have access to your internal network using Check Point's secure remote for instance into the Safe@Office VPN Server.
I recommend a good and solid FW+VPN(+NAT router) device that will enable you to control access, view the reports etc.
Your developers would be able to access the internal network via VPN and the rest of the world will only be able to access specific servers on specific protocols (via Protocol Address Translation for instance).
I personally own a SofaWare Safe@Office which is a very good, fairly priced appliance. It's extremly easy to manage, and it'll answer all your network needs. Your developers could have access to your internal network using Check Point's secure remote for instance into the Safe@Office VPN Server.
There are many solutions and designs for the nature of your requirements. Whatever you decide you should deploy a Defence-in-depth (DiD) solution that is easy to administer and cost effective.
Whether using a pentium class PC with multiple interfaces running a secure version of Linux and IPFilter firewall (see Seattle Seawall for secure solution - http://seawall.sourceforge.net/) or using one of the commercially available (and supportable) solutions such as NetScreen or SonicWall Firewalls (http://www.netscreen.com/main.html and http://www.sonicwall.com/), you should consider Demilitarization Zones (or DMZs) between the Internet and your corporate network. A firewall on the outside of your NAT'd DMZ will handle web traffic (and can provide internet routing). Then on a switched LAN you can lay out your bastioned servers (locked down running only services that are necessary) and then you place another firewall between your switched DMZ and your corporate LAN.
Logically it would look something like this:
==Internet==
|
|
Firewall
|
|
===Switch==|server|
|
|
Firewall
|
|
==Corporate LAN==
The rules on the outside firewall will allow access to the DMZ server on a particular port and can route, NAT and provide port translation.
The rules on the internal Firewall can allow the server access to backend Database systems and autherntication servers on specified ports and allow your internal LAN access to the DMZ servers on particular ports. This box can also run IDS such as SNORT to track any known attacks, trojans and worms and send alerts to your management systems that reside on your internal network (I have mine sent directly to my pager - fix the false positives before you do this :-)
I would suggest that you stay away from Windows-based systems to run as security servers (e.g. Firewalls and IDS) as there are a lot of worms and buffer exploits that are being discovered every moment for these platforms.
Finally, developers can access the systems via a number of secure methods such as SSL-based WebDav environemts, SSH and IPSEC that terminates directly on the outside Firewall. Check out Linux FreeS/WAN (http://www.freeswan.org/intro.html) for more information on building a free VPN concentrator.
As you can tell, I like OpenSource solutions but this may not be the solution for you if you don't have the expertise on staff to support this.
Regards,
Gary Freeman
Whether using a pentium class PC with multiple interfaces running a secure version of Linux and IPFilter firewall (see Seattle Seawall for secure solution - http://seawall.sourceforge.net/) or using one of the commercially available (and supportable) solutions such as NetScreen or SonicWall Firewalls (http://www.netscreen.com/main.html and http://www.sonicwall.com/), you should consider Demilitarization Zones (or DMZs) between the Internet and your corporate network. A firewall on the outside of your NAT'd DMZ will handle web traffic (and can provide internet routing). Then on a switched LAN you can lay out your bastioned servers (locked down running only services that are necessary) and then you place another firewall between your switched DMZ and your corporate LAN.
Logically it would look something like this:
==Internet==
|
|
Firewall
|
|
===Switch==|server|
|
|
Firewall
|
|
==Corporate LAN==
The rules on the outside firewall will allow access to the DMZ server on a particular port and can route, NAT and provide port translation.
The rules on the internal Firewall can allow the server access to backend Database systems and autherntication servers on specified ports and allow your internal LAN access to the DMZ servers on particular ports. This box can also run IDS such as SNORT to track any known attacks, trojans and worms and send alerts to your management systems that reside on your internal network (I have mine sent directly to my pager - fix the false positives before you do this :-)
I would suggest that you stay away from Windows-based systems to run as security servers (e.g. Firewalls and IDS) as there are a lot of worms and buffer exploits that are being discovered every moment for these platforms.
Finally, developers can access the systems via a number of secure methods such as SSL-based WebDav environemts, SSH and IPSEC that terminates directly on the outside Firewall. Check out Linux FreeS/WAN (http://www.freeswan.org/intro.html) for more information on building a free VPN concentrator.
As you can tell, I like OpenSource solutions but this may not be the solution for you if you don't have the expertise on staff to support this.
Regards,
Gary Freeman
Consider looking into the Cisco Pix Firewall series. Depening on the size and requirements of your network infrastructure, it sounds like you could probably get by with a relatively low-cost solution such as the Pix 506E or 515E. The 515E is faster and provides DMZ capabilities. Make sure to get the 3DES VPN upgrade & SMARTnet warranty contract. They both are inexpensive addons. The Pix is highly robust, offers granularized access to network resources, and VPN operates seamlessly. It should be able to do pretty much whatever you need. The Checkpoint platform is good also, but is pricey in comparison (especially support contract renewal), and is better suited to larger enterprises.
Regards,
Jonathan
Regards,
Jonathan
Some makers of appropriate firewall/VPN devices are Netscreen, Cisco (the PIX line), and Sonicwall