We help IT Professionals succeed at work.

Configuring co-lo servers and home office firewalls/VPN

billbiv asked
We are a small web application development firm.  We currently co-locate a mail (MDaemon Pro)/IIS/ColdFusion/MSSQL2000 MSWIN2KAdvanced server box at our ISP.  We access and manage it via Terminal Services and have been generally happy with TS, although file transfers always have to be done via IIS/FTP... We have cable internet access at our office (Pro - 5 static IPs, 3.5Mb download/384k Upload).

We host less than 20 sites/applications, but they do count on "staying up" and not getting hacked.

We are now moving to a multi-box set-up where we are separating the mail, web/app and SQL services into three boxes.  We want to make the set-up as secure as possible while allowing us to continue to manage the systems from our office and also to perform data-backups that way - both copying data between the machines at the ISP and also downloading from the ISP machines to the office.  My budget for firewall protection can go as high as $2500 for both ends toghether (an appliance at our ISP in front of the boxes and an appliance at our office to enable VPN), although I would like to spend less.

Bottom line is that we've grown enough that we know we need to upgrade the entire co-lo set up both for security and for reliability.  We seem to have been able to keep the current system relatively secure via constant attention, patching, and close adherance to Microsoft's security recommendations.  Still, I look forward to the peace of mind of a true firewall.

The biggest question I have is, given my descriptions above, what specific firewall appliance models would you recommend for each end (at the ISP and at the office)?  I have been studying and considering: Cisco Pix 560e, Netscreen 5* series, SonicWall SOHO and Pro 100 and Watchguard Firebox SOHO and 700.  The "cheaper" side of me has also be wistfully wondering if I couldn't "get by" with a LinkSys or Netgear unit.  I suspect, though, that the routing requirements we'll have on the ISP side will require something more.

I also want to ask specifically whether the web server can also sit behind the firewall when we have multiple public static IPs that we are using to get to the various virtual web sites under IIS. Can all firewalls map any number of public static IPs to internal/private static IPs, or can only a certain "level" of firewall do that & how can I tell?  And can all of them be mapping into a DMZ?

Along those same lines, what would be the best configuration for the co-lo set up? Should the web server sit exposed in front of the firewall and the SQL and Mail machines sit behind it?  Can all three be firewall protected?  Can the machines be configured using multiple nics in such a way as to enable routine data-backup between each other without comprimising the security of the machines.

Finally, would anyone recommend switching to a more full-featured remote management app vs. Terminal Services (such as PC Anywhere)?  Can two such apps co-reside?  I really like TS in general, but also long for the file transfer capablitity offered in an app such as PC Anywhere.  I'm not sure I'm ready to give up TS entirely....

I've been doing a lot of reading but have no hands-on experience yet beyond the software firewalls of ZoneAlarms Pro and McAffee, which I've been using on various of our machines for over a year now.  I am fairly literate in Windows & Mac operating systems and am generally comfortable with ethernet and TCP/IP networking concepts. I do prefer gui systems vs command-line and ease of use is a relavant factor for me.  I will pay more for a product that is more intuitive and easy to manage vs. one that is less intuitive and less expensive.  Cisco's Pix Device Manager looks pretty good, for example - how do NetScreens', Watchguards' and SonicWalls' managers compare?

I *have* read through several of the firewall questions/answers, but I really haven't seen anything that gave me all I needed.  Hopefully this post will help and please know that I really appreciate each response!

Watch Question

Sr. Systems Engineer
Top Expert 2008
I'm partial to Cisco PIX. One advantage is that you can use the Cisco VPN client to access the "inside" network securely giving you full access to all the servers behind it. The new GUI is pretty slick, too. Because you are doing this as a business, I would suggest a business-class device like the PIX and not rely on anything like a SOHO linksys or d-link. You have SO many more options and capabilities with a PIX I can't even begin to count them. The PIX can map any number of static IP's, the soho like Linksys can only do one.

At your end, you could go with a low end Linksys VPN model and create a LAN-LAN VPn tunnel with the PIX.

yes, you can create a "private" network with additional nic's on each box and do all the backups and admin work through that network.

Terminal services are faster, cheaper, and more secure than any other remote control application. Stick with it, it's free. With TS, you can actually map a local drive and drag/drop files easily.

Hope this helps!
Hi there,

I suggest you have a look at Checkpoint Fw-1 (www.checkpoint.com) and look at the VPN-1 .. not the SOHO boxes .. the Fw-1 can do everything the pix can but on the platform of your choise. It runs on AIX, W2k, Linux, Solaris, Nokia IPSO, and there are many diff appliences depending on the platform choise you want. Sun uses LX50 and Nokia have there IPSO (bsd) line .. intrusion.com have Linux appliences and so on and so on ..

The best thing is .. it can be scaled to work as a 5 user firewall up to clustered 50 thousand users without having to be reinstalled .. just upgrade the license .. upgrade the hardware .. although many times the OS needs to be reinstalled with new hardware but I think you get my point .. you don't have to pay the firewall reseller money if you want more memory like in PIX ..
You can also use the same license on a linux box as on a w2k or AIX so you can change OS when you expand your company if needed.

The VPN client software is free aswell and you'd love it I'm sure of that ..

Then Checkpoint started the OPSEC (www.opsec.com) framework which allowes 3rd party vendors to create 100% compatible products witch are certified to work with Fw-1 .. there is many diff things like Trendmicro Antivirus that can talk via CVP (content vector protocol) to let Fw-1 auto scan mail, http, ftp and so on for viruses. There is RSA SecurID which allowes users to authenticate with a strong two factor authentication direct to the Fw-1....

I think you get my point .. have a look at it .. I don't think there are any prices listed on the net but contact the closest reseller and he'll (or she'll if your lucky) give you the prices .. otherwise get back to me and I can supply you with prices ..

Best Regards,

if you are worried about getting hacked and you have some money I would go with the new Sidewinder G2, alot of people are jumping on the bandwagon with the unhackable security and the nice bandwidth.  Just a thought, everybody goes with checkpoint and pix because of the support, ease of use and administration, and its a bit cheaper but if you want 100% undenable security Sidewinder is the way to go.
Humm .. isn't Sidewinder the old Gauntlet? .. sure .. it's great .. but it has two major problems .. 1. administration .. it was a pain in the ass to work with it .. create plugs and ports .. I haven't used Sidewinder .. but I'm speaking of Gauntlet here ...
2. It's not a very common product .. which makes it harder to sell due to customers want products they can get competence on and they know it'll stay alive on the market ..

But .. I'm not saying It's bad tough ..


All helpful comments so far, thank you!

Irmoore, thanks for the recommendation on the PIX - ease of use is definitely important to me and thank you VERY much for the TS note -- I had not thought of mapping the local drives to transfer between the units -- (forehead slap, duh!).  Also glad to hear the private network with separate nics will work.  Will have to figure out the exact details on that, but I thought it made sense...  Very helpful answer!

bcastaldo -- Sidewinder G2 looks very strong, but the $5k+ tag for their entry level stuff is way out of my budget and the ease of use issue is also important to me.  Thanks for the rec though...

Magnus -- does Checkpoint have to run on a dedicated machine?  I'm not clear on that -- can it run on the same box as the web/app server, for example?  Also, I've had trouble getting a feel for the pricing -- it looks like the software for the VPN1 might be a few hundred? -- I'll get more info from them if I can run it on the same machine as my web/app server.  If I have to have a dedicated machine, I might prefer the PIX.

I'm going to wait another day or two for additional comments before accepting answers & closing this one out.  Thanks everyone!


Les MooreSr. Systems Engineer
Top Expert 2008
Checkpoint absolutely requires a dedicated system.
Humm .. you don't HAVE to use a dedicated machine but I most certenly recommend it! I wouldn't recomend using Checkpoint if you have to install it on the same server as the web/app. But I don't see why you would go for PIX in that case .. PIX is always always a dedicated machine 'cause of the fact that it's applience only. You can't install cisco IOS on a pc and you can't install IIS on cisco IOS =)
So if you go for PIX then you have a dedicated unscalable firewall instead of a cheaper more powerful dedicated scalable firewall in Checkpoint .. the prices .. humm .. It's licensed on the number of ip's that will send data through the firewall that's NOT coming from the external interface .. in your case it's about 5 ip's or something? I know the list price for it but I don't know how many % your reseller is adding but 5 user license isn't more than a few hundred perhaps .. then add a few hundred on a standard pc  .. install redhat or use Checkpoint own pre secured linux platform .. free of charge .. then you have a powerfull firewall for perhaps .. $500 - $750 .. a firewall which you can scale up to ... a few hundred servers without having to upgrade the hardware.

Hi billbiv,


Checkpoint is expensive and every year you need to pay software subscription which cost you arm and leg.

PIX is cheap and good appliance but if you want to do client-to-site VPN you need to have external authentication server (RADIUS/TACACS). Probably Cisco would recommend you to also buy Cisco ACS for additional $10k.

Netscreen is more expensive than PIX but that's all you need. You don't have to pay expensive annual software subscription. Also no need to buy RADIUS server.

Watchguard is cheapest among all, but VPN license is at additional cost. It's also easy to configure and you won't regret subscribing to their Security LiveUpdate.

All firewall above are manageable by Web based interface (like PIX Device Manager that you saw before).


All firewalls above capable to do NAT of multiple public IP to multiple internal addresses.


Some people use two tier firewall:


They place webservers on DMZ and SQL servers on LAN

But if you only have firewall, you still can apply same scenarion but this way:


So SQL servers would NEVER be accessible directly from the Internet.


Nothing more efficient than VNC (http://www.uk.research.att.com/vnc/download.html) for remote control.
But if you need to transfer file, I suggest that you use Secure Copy (SCP).
SCP works over OpenSSL protocol (www.openssl.org) which also has port to Windows platform.
As a client, you can use WinSCP, an explorer like Secure Copy client that allows you to do drag and drop of files from local to remote and vice versa.

VNC and SCP are so popular because it's compatibility among different platforms like Linux, Solaris, Windows, BSD, etc.

Hope this helps.

PS: VNC + SCP will provide you good combination of Remote Control and Secure File Transfer. :)
Les MooreSr. Systems Engineer
Top Expert 2008
You don't need Radius/Tacacs+ for VPN authentication with PIX. It is an option, and you can use Microsoft's built-in Radius (Internet Authentication Server) that is FREE already if you have any Windows 2K server.

>Nothing more efficient than VNC
Except built-in Terminal services (Win2k server) or Remote Desk Protocol (Win XP or Win2k3)

Just my 2 cents...
Hi lrmoore,

Agree with you. But without external RADIUS/TACACS, if you need to configure 50 remote VPN users, means you have to configure 50 individual tunnels. CMIIW.
Checkpoint is NOT more expensive than the others for a 5 user license .. sure If you buy a SVN Bundle for unlimited users on checkpoint it's a $20k package .. but then you get everythink you ever wanted from a gateway ..
I'm installing Checkpoints every week at customers who have netscreen and watchguard boxes .. and theese customers change gateway for a reason .. they can't perform .. check out Netscreen 25 .. it's state table can only handle 4k sessions .. you need like .. one laptop with nmap to perform a state table timeout.

PIX is really good .. as I said .. I'd go for Checkpoint or PIX .. the only think I don't like about PIX is the forced appliance .. if you want more mem or more cpu you have to buy it from Cisco .. it's very expensive in the long run ..

And for the software subscription part of Checkpoint it's not that expensive .. it a percentage of the list price and on this $400 licence it's perhaps 10%/year .. and then you get all upgrades minor aswell as major upgrades and you also get access to the regular knowledgebase.

Ohh .. almost forgott .. watchguard .. the best way to use a watchguard firewall is to open it up .. throw out everything you see inside .. open up your PlayStation uint .. put everything from the PS into the WG box .. make some holes for all wiring .. THERE YOU GO .. now you've got a really cool PS with alot of flashing diods and a nasty looking triangle on the front ..



Thank you all *very much* -- this conversation has been really helpful to me.  I am going to give the PIX a shot first.  My scenario requires very limited VPN connections and I expect minimal "network" growth -- I do not expect to add new units at the colo facility for at least a year and probably not any at my office for that long as well.  I really appreciate the configuration input -- thank you very much judhi for the sketch!

I'm going to close this one down now & split up the points.  Thank you everyone!


Explore More ContentExplore courses, solutions, and other research materials related to this topic.