Firewall/router...what do I need?

Posted on 2003-04-01
Medium Priority
Last Modified: 2013-11-16
We have a small network with an NT server (IIS web server), W2k Server, a unix server and Lotus Notes email server.  We need to get something to protect us from things like codered, etc but we also want to be able to access these servers from outside for our developers.  We need something to protect us but we are not sure if we need a firewall or a router or both.  

Question by:JohnnieMiami
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

cwrea earned 200 total points
ID: 8247620
You should look at combination firewall & VPN appliances.  

The firewall part of such an appliance will help you secure your network from outsiders.  But that's not all you should be doing - good and updated antivirus, intrusion detection, and proactive patching are recommended as well.

The VPN (virtual private networking) part of the appliance will allow your developers to remotely establish a connection with your network so they can access internal network resources.  You may also want to investigate strong authentication mechanisms like a SecurID card so you know for sure only authorized developers are coming in through your VPN.

LVL 14

Expert Comment

ID: 8248313
Agreed. Though X.509 certificates or something like the Rainbow iKey is much more cost effective than SecurID these days.

Some makers of appropriate firewall/VPN devices are Netscreen, Cisco (the PIX line), and Sonicwall

Expert Comment

ID: 8248740
Well, I'm not familiar with your exact needs, but it's really a matter of the money you're willing to spend.
I recommend a good and solid FW+VPN(+NAT router) device that will enable you to control access, view the reports etc.
Your developers would be able to access the internal network via VPN and the rest of the world will only be able to access specific servers on specific protocols (via Protocol Address Translation for instance).
I personally own a SofaWare Safe@Office which is a very good, fairly priced appliance. It's extremly easy to manage, and it'll answer all your network needs. Your developers could have access to your internal network using Check Point's secure remote for instance into the Safe@Office VPN Server.

Expert Comment

ID: 8249961
There are many solutions and designs for the nature of your requirements.  Whatever you decide you should deploy a Defence-in-depth (DiD) solution that is easy to administer and cost effective.

Whether using a pentium class PC with multiple interfaces running a secure version of Linux and IPFilter firewall (see Seattle Seawall for secure solution - http://seawall.sourceforge.net/) or using one of the commercially available (and supportable) solutions such as NetScreen or SonicWall Firewalls (http://www.netscreen.com/main.html and http://www.sonicwall.com/), you should consider Demilitarization Zones (or DMZs) between the Internet and your corporate network.  A firewall on the outside of your NAT'd DMZ will handle web traffic (and can provide internet routing).  Then on a switched LAN you can lay out your bastioned servers (locked down running only services that are necessary) and then you place another firewall between your switched DMZ and your corporate LAN.

Logically it would look something like this:

==Corporate LAN==

The rules on the outside firewall will allow access to the DMZ server on a particular port and can route, NAT and provide port translation.

The rules on the internal Firewall can allow the server access to backend Database systems and autherntication servers on specified ports and allow your internal LAN access to the DMZ servers on particular ports.  This box can also run IDS such as SNORT to track any known attacks, trojans and worms and send alerts to your management systems that reside on your internal network (I have mine sent directly to my pager - fix the false positives before you do this :-)

I would suggest that you stay away from Windows-based systems to run as security servers (e.g. Firewalls and IDS) as there are a lot of worms and buffer exploits that are being discovered every moment for these platforms.

Finally, developers can access the systems via a number of secure methods such as SSL-based WebDav environemts, SSH and IPSEC that terminates directly on the outside Firewall.  Check out Linux FreeS/WAN (http://www.freeswan.org/intro.html) for more information on building a free VPN concentrator.

As you can tell, I like OpenSource solutions but this may not be the solution for you if you don't have the expertise on staff to support this.


Gary Freeman

Expert Comment

ID: 8277876
Consider looking into the Cisco Pix Firewall series.  Depening on the size and requirements of your network infrastructure, it sounds like you could probably get by with a relatively low-cost solution such as the Pix 506E or 515E.  The 515E is faster and provides DMZ capabilities.  Make sure to get the 3DES VPN upgrade & SMARTnet warranty contract.  They both are inexpensive addons.  The Pix is highly robust, offers granularized access to network resources, and VPN operates seamlessly.  It should be able to do pretty much whatever you need.  The Checkpoint platform is good also, but is pricey in comparison (especially support contract renewal), and is better suited to larger enterprises.



Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look at what happened in the Verizon cloud breach.
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question