billbiv
asked on
Configuring co-lo servers and home office firewalls/VPN
We are a small web application development firm. We currently co-locate a mail (MDaemon Pro)/IIS/ColdFusion/MSSQL2
We host less than 20 sites/applications, but they do count on "staying up" and not getting hacked.
We are now moving to a multi-box set-up where we are separating the mail, web/app and SQL services into three boxes. We want to make the set-up as secure as possible while allowing us to continue to manage the systems from our office and also to perform data-backups that way - both copying data between the machines at the ISP and also downloading from the ISP machines to the office. My budget for firewall protection can go as high as $2500 for both ends toghether (an appliance at our ISP in front of the boxes and an appliance at our office to enable VPN), although I would like to spend less.
Bottom line is that we've grown enough that we know we need to upgrade the entire co-lo set up both for security and for reliability. We seem to have been able to keep the current system relatively secure via constant attention, patching, and close adherance to Microsoft's security recommendations. Still, I look forward to the peace of mind of a true firewall.
The biggest question I have is, given my descriptions above, what specific firewall appliance models would you recommend for each end (at the ISP and at the office)? I have been studying and considering: Cisco Pix 560e, Netscreen 5* series, SonicWall SOHO and Pro 100 and Watchguard Firebox SOHO and 700. The "cheaper" side of me has also be wistfully wondering if I couldn't "get by" with a LinkSys or Netgear unit. I suspect, though, that the routing requirements we'll have on the ISP side will require something more.
I also want to ask specifically whether the web server can also sit behind the firewall when we have multiple public static IPs that we are using to get to the various virtual web sites under IIS. Can all firewalls map any number of public static IPs to internal/private static IPs, or can only a certain "level" of firewall do that & how can I tell? And can all of them be mapping into a DMZ?
Along those same lines, what would be the best configuration for the co-lo set up? Should the web server sit exposed in front of the firewall and the SQL and Mail machines sit behind it? Can all three be firewall protected? Can the machines be configured using multiple nics in such a way as to enable routine data-backup between each other without comprimising the security of the machines.
Finally, would anyone recommend switching to a more full-featured remote management app vs. Terminal Services (such as PC Anywhere)? Can two such apps co-reside? I really like TS in general, but also long for the file transfer capablitity offered in an app such as PC Anywhere. I'm not sure I'm ready to give up TS entirely....
I've been doing a lot of reading but have no hands-on experience yet beyond the software firewalls of ZoneAlarms Pro and McAffee, which I've been using on various of our machines for over a year now. I am fairly literate in Windows & Mac operating systems and am generally comfortable with ethernet and TCP/IP networking concepts. I do prefer gui systems vs command-line and ease of use is a relavant factor for me. I will pay more for a product that is more intuitive and easy to manage vs. one that is less intuitive and less expensive. Cisco's Pix Device Manager looks pretty good, for example - how do NetScreens', Watchguards' and SonicWalls' managers compare?
I *have* read through several of the firewall questions/answers, but I really haven't seen anything that gave me all I needed. Hopefully this post will help and please know that I really appreciate each response!
Bill
We host less than 20 sites/applications, but they do count on "staying up" and not getting hacked.
We are now moving to a multi-box set-up where we are separating the mail, web/app and SQL services into three boxes. We want to make the set-up as secure as possible while allowing us to continue to manage the systems from our office and also to perform data-backups that way - both copying data between the machines at the ISP and also downloading from the ISP machines to the office. My budget for firewall protection can go as high as $2500 for both ends toghether (an appliance at our ISP in front of the boxes and an appliance at our office to enable VPN), although I would like to spend less.
Bottom line is that we've grown enough that we know we need to upgrade the entire co-lo set up both for security and for reliability. We seem to have been able to keep the current system relatively secure via constant attention, patching, and close adherance to Microsoft's security recommendations. Still, I look forward to the peace of mind of a true firewall.
The biggest question I have is, given my descriptions above, what specific firewall appliance models would you recommend for each end (at the ISP and at the office)? I have been studying and considering: Cisco Pix 560e, Netscreen 5* series, SonicWall SOHO and Pro 100 and Watchguard Firebox SOHO and 700. The "cheaper" side of me has also be wistfully wondering if I couldn't "get by" with a LinkSys or Netgear unit. I suspect, though, that the routing requirements we'll have on the ISP side will require something more.
I also want to ask specifically whether the web server can also sit behind the firewall when we have multiple public static IPs that we are using to get to the various virtual web sites under IIS. Can all firewalls map any number of public static IPs to internal/private static IPs, or can only a certain "level" of firewall do that & how can I tell? And can all of them be mapping into a DMZ?
Along those same lines, what would be the best configuration for the co-lo set up? Should the web server sit exposed in front of the firewall and the SQL and Mail machines sit behind it? Can all three be firewall protected? Can the machines be configured using multiple nics in such a way as to enable routine data-backup between each other without comprimising the security of the machines.
Finally, would anyone recommend switching to a more full-featured remote management app vs. Terminal Services (such as PC Anywhere)? Can two such apps co-reside? I really like TS in general, but also long for the file transfer capablitity offered in an app such as PC Anywhere. I'm not sure I'm ready to give up TS entirely....
I've been doing a lot of reading but have no hands-on experience yet beyond the software firewalls of ZoneAlarms Pro and McAffee, which I've been using on various of our machines for over a year now. I am fairly literate in Windows & Mac operating systems and am generally comfortable with ethernet and TCP/IP networking concepts. I do prefer gui systems vs command-line and ease of use is a relavant factor for me. I will pay more for a product that is more intuitive and easy to manage vs. one that is less intuitive and less expensive. Cisco's Pix Device Manager looks pretty good, for example - how do NetScreens', Watchguards' and SonicWalls' managers compare?
I *have* read through several of the firewall questions/answers, but I really haven't seen anything that gave me all I needed. Hopefully this post will help and please know that I really appreciate each response!
Bill
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all *very much* -- this conversation has been really helpful to me. I am going to give the PIX a shot first. My scenario requires very limited VPN connections and I expect minimal "network" growth -- I do not expect to add new units at the colo facility for at least a year and probably not any at my office for that long as well. I really appreciate the configuration input -- thank you very much judhi for the sketch!
I'm going to close this one down now & split up the points. Thank you everyone!
Bill
I'm going to close this one down now & split up the points. Thank you everyone!
Bill
ASKER
Irmoore, thanks for the recommendation on the PIX - ease of use is definitely important to me and thank you VERY much for the TS note -- I had not thought of mapping the local drives to transfer between the units -- (forehead slap, duh!). Also glad to hear the private network with separate nics will work. Will have to figure out the exact details on that, but I thought it made sense... Very helpful answer!
bcastaldo -- Sidewinder G2 looks very strong, but the $5k+ tag for their entry level stuff is way out of my budget and the ease of use issue is also important to me. Thanks for the rec though...
Magnus -- does Checkpoint have to run on a dedicated machine? I'm not clear on that -- can it run on the same box as the web/app server, for example? Also, I've had trouble getting a feel for the pricing -- it looks like the software for the VPN1 might be a few hundred? -- I'll get more info from them if I can run it on the same machine as my web/app server. If I have to have a dedicated machine, I might prefer the PIX.
I'm going to wait another day or two for additional comments before accepting answers & closing this one out. Thanks everyone!
Bill