Configuring co-lo servers and home office firewalls/VPN
Posted on 2003-06-07
We are a small web application development firm. We currently co-locate a mail (MDaemon Pro)/IIS/ColdFusion/MSSQL2000 MSWIN2KAdvanced server box at our ISP. We access and manage it via Terminal Services and have been generally happy with TS, although file transfers always have to be done via IIS/FTP... We have cable internet access at our office (Pro - 5 static IPs, 3.5Mb download/384k Upload).
We host less than 20 sites/applications, but they do count on "staying up" and not getting hacked.
We are now moving to a multi-box set-up where we are separating the mail, web/app and SQL services into three boxes. We want to make the set-up as secure as possible while allowing us to continue to manage the systems from our office and also to perform data-backups that way - both copying data between the machines at the ISP and also downloading from the ISP machines to the office. My budget for firewall protection can go as high as $2500 for both ends toghether (an appliance at our ISP in front of the boxes and an appliance at our office to enable VPN), although I would like to spend less.
Bottom line is that we've grown enough that we know we need to upgrade the entire co-lo set up both for security and for reliability. We seem to have been able to keep the current system relatively secure via constant attention, patching, and close adherance to Microsoft's security recommendations. Still, I look forward to the peace of mind of a true firewall.
The biggest question I have is, given my descriptions above, what specific firewall appliance models would you recommend for each end (at the ISP and at the office)? I have been studying and considering: Cisco Pix 560e, Netscreen 5* series, SonicWall SOHO and Pro 100 and Watchguard Firebox SOHO and 700. The "cheaper" side of me has also be wistfully wondering if I couldn't "get by" with a LinkSys or Netgear unit. I suspect, though, that the routing requirements we'll have on the ISP side will require something more.
I also want to ask specifically whether the web server can also sit behind the firewall when we have multiple public static IPs that we are using to get to the various virtual web sites under IIS. Can all firewalls map any number of public static IPs to internal/private static IPs, or can only a certain "level" of firewall do that & how can I tell? And can all of them be mapping into a DMZ?
Along those same lines, what would be the best configuration for the co-lo set up? Should the web server sit exposed in front of the firewall and the SQL and Mail machines sit behind it? Can all three be firewall protected? Can the machines be configured using multiple nics in such a way as to enable routine data-backup between each other without comprimising the security of the machines.
Finally, would anyone recommend switching to a more full-featured remote management app vs. Terminal Services (such as PC Anywhere)? Can two such apps co-reside? I really like TS in general, but also long for the file transfer capablitity offered in an app such as PC Anywhere. I'm not sure I'm ready to give up TS entirely....
I've been doing a lot of reading but have no hands-on experience yet beyond the software firewalls of ZoneAlarms Pro and McAffee, which I've been using on various of our machines for over a year now. I am fairly literate in Windows & Mac operating systems and am generally comfortable with ethernet and TCP/IP networking concepts. I do prefer gui systems vs command-line and ease of use is a relavant factor for me. I will pay more for a product that is more intuitive and easy to manage vs. one that is less intuitive and less expensive. Cisco's Pix Device Manager looks pretty good, for example - how do NetScreens', Watchguards' and SonicWalls' managers compare?
I *have* read through several of the firewall questions/answers, but I really haven't seen anything that gave me all I needed. Hopefully this post will help and please know that I really appreciate each response!