Firewall solution needed
I'm trying host about 10 - 12 websites on my Windows 2003 server. I have a single server that functions as a print / file / DHCP / exchange / web server. It has two network cards - a 10/100 and a 1000. Right now I think its set up very poorly because I was in a hurry. I have a cable modem connection with a block of 13 public IP addresses. I have a watchguard firebox soho 6. I have the external interface on the watchguard firewall setup for a static public ip. The firewall connects to a switch which the 1000 nic on the server plugs into and has a static internal ip of 192.168.111.100.
Now, where I think the problem is on the second 10/100 network card. I have assigned it about 10 other public ip addresses and its connected directly to the cable modem - no firewall. I don't see the point of having a firewall on one server nic and not the other, but I can only assign 1 ip address to the external interface on the watchguard firebox. Can this be right?? If it is right, who makes a similar firewall that will allow me to assign multiple external ip address's and have them NAT to different internal IP's on the server. Basically, I need to be able to host a bunch of websites, enable outlook web access for my employees, but keep all of my confidential information on the same server secure.
Now, where I think the problem is on the second 10/100 network card. I have assigned it about 10 other public ip addresses and its connected directly to the cable modem - no firewall. I don't see the point of having a firewall on one server nic and not the other, but I can only assign 1 ip address to the external interface on the watchguard firebox. Can this be right?? If it is right, who makes a similar firewall that will allow me to assign multiple external ip address's and have them NAT to different internal IP's on the server. Basically, I need to be able to host a bunch of websites, enable outlook web access for my employees, but keep all of my confidential information on the same server secure.
Hi again :-)
Like I said, if you want to stay in the consumer end of the market then look at www.draytek.co.uk. Their routers , both ethernet and adsl, allow for multi NAT (multiple public IP's) and the firewall is actually not bad at all. Of course the low end PIX's will do but be careful of the user limit. OR I managed to but a Nokia IP 330 running Checkpoint on ebay for £300 and that will cope just fine with what you want to do. The interface is nice too. I'm not sure if thier low end Safe@Office products allow for multiple external IP addresses but I've been told they do.
Cheers
Julian
(any news on the DCOM issue? Did you manage to get a filtered regmon output? :-)
Like I said, if you want to stay in the consumer end of the market then look at www.draytek.co.uk. Their routers , both ethernet and adsl, allow for multi NAT (multiple public IP's) and the firewall is actually not bad at all. Of course the low end PIX's will do but be careful of the user limit. OR I managed to but a Nokia IP 330 running Checkpoint on ebay for £300 and that will cope just fine with what you want to do. The interface is nice too. I'm not sure if thier low end Safe@Office products allow for multiple external IP addresses but I've been told they do.
Cheers
Julian
(any news on the DCOM issue? Did you manage to get a filtered regmon output? :-)
>Basically, I need to be able to host a bunch of websites, enable outlook web access for my employees, but keep all of my confidential information on the same server secure.
My $.02 - if you're really that concerned about keeping information confidential, you would never put it on the same server accessed by the general public. Especially if that server was running Microsoft server OS. -
Having said that, you really need to get something other than a SOHO appliance. I am a big fan of the Cisco PIX and it will do everything you need it to.
The problem you are facing on the current setup is that you can only have one default gateway active on the server. That default gateway needs to point to the firewall, yet you have this other NIC hanging out there that needs to respond to public IP's, too. You need to disable that extra outside NIC and only use one.
My $.02 - if you're really that concerned about keeping information confidential, you would never put it on the same server accessed by the general public. Especially if that server was running Microsoft server OS. -
Having said that, you really need to get something other than a SOHO appliance. I am a big fan of the Cisco PIX and it will do everything you need it to.
The problem you are facing on the current setup is that you can only have one default gateway active on the server. That default gateway needs to point to the firewall, yet you have this other NIC hanging out there that needs to respond to public IP's, too. You need to disable that extra outside NIC and only use one.
ASKER
Are the new pix firewalls command line only, or has Cisco come up with a nice gui?
Yes, very nice web-based (java) GUI.. it really is slick..
It is called the Pix Device Manager (PDM) and is resident right on the PIX.
It is called the Pix Device Manager (PDM) and is resident right on the PIX.
ASKER
>My $.02 - if you're really that concerned about keeping information confidential, you would never put it on the same server accessed by the general public. Especially if that server was running Microsoft server OS. -
So lets say I add another server that will only host websites. Would I make it part of my domain?
So lets say I add another server that will only host websites. Would I make it part of my domain?
ASKER
Looks like their are a ton of different pix models out there. I need something that can support up to 10 vpn tunnels. I'd like to have no user limitations. We get many PC's in here for repair, and I'm always having to reboot the Watchguard firebox in order to reset the user count.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If data security is an issue and it appears to be. I would definitely go the DMZ route, it will provide you the isolation that your confidential data requires. "Due care and Diligence" is the rule in cases like this.
ASKER
The 515e is out of my price range. So far my plan is to pick up a Cisco PIX 506e and a Cisco Catalyst 2950 24 Port WS-2950T-24 switch. Does this switch support VLAN's?
Yes. Excellent choice for a compromise.
Good Choice...
Alternatively, if u r looking for a cost effective solution u can have a Cisco router and use NATing. U can make ur cisco router perform like a Firewall and completely elimintae the need of firewall. U can define Access lists, and Ports and lot of other things.
Infact, the router cld perform as good as the firewall. wat do u say Irmoore.
Infact, the router cld perform as good as the firewall. wat do u say Irmoore.
>wat do u say Irmoore
I'll take the bait. Here's what I say (notice that I use complete English, not kiddie "textspeak")
A router is designed for one purpose - to move packets
A firewall is designed for one purpose - to block packets
A router with NAT and access-lists may be adequate in some instances where security is not an issue, but it does not have anywhere near the security functions built into a firewall. No Stateful packet inspection, no Intrusion detection, no VPN capabilities, no deep-packet inspection (fixup), no GUI, no hardened OS backend. Yes, you can add some of these features to the IOS router for a lot more money (IP/FW/IDS/IPSEC feature sets) and turn a router into a pseudo-firewall, but it's still a kludge of adding firewall features to a device that was built for the sole purpose of moving packets from one interface to the other as fast as possible. A PIX has all these features. It does not run IOS, it has deep packet inspection, Adaptive Security SPI, Intrusion detection, VPN capabilities, and many other features simply not available on a router. The PIX was designed from the ground up to be the best firewall on the market.
So my answer is - no, a router cannot perform as well as a firewall. Let routers do what they do best, and get the right product for your security.
I'll take the bait. Here's what I say (notice that I use complete English, not kiddie "textspeak")
A router is designed for one purpose - to move packets
A firewall is designed for one purpose - to block packets
A router with NAT and access-lists may be adequate in some instances where security is not an issue, but it does not have anywhere near the security functions built into a firewall. No Stateful packet inspection, no Intrusion detection, no VPN capabilities, no deep-packet inspection (fixup), no GUI, no hardened OS backend. Yes, you can add some of these features to the IOS router for a lot more money (IP/FW/IDS/IPSEC feature sets) and turn a router into a pseudo-firewall, but it's still a kludge of adding firewall features to a device that was built for the sole purpose of moving packets from one interface to the other as fast as possible. A PIX has all these features. It does not run IOS, it has deep packet inspection, Adaptive Security SPI, Intrusion detection, VPN capabilities, and many other features simply not available on a router. The PIX was designed from the ground up to be the best firewall on the market.
So my answer is - no, a router cannot perform as well as a firewall. Let routers do what they do best, and get the right product for your security.
> .. but keep all of my confidential information on the same server secure.
first I'll cc: lrmoore (firewall box, DMZ, M$ OS, etc.)
Then I'll add another 2 pence: did you think about web application security?
I.g. its no problem to hack M$ SQL server, even behind several (network) firewalls, and even (mis-)use it to map/hack anything else connected to that server.
Are you aware? If you need more help here, let me know?
first I'll cc: lrmoore (firewall box, DMZ, M$ OS, etc.)
Then I'll add another 2 pence: did you think about web application security?
I.g. its no problem to hack M$ SQL server, even behind several (network) firewalls, and even (mis-)use it to map/hack anything else connected to that server.
Are you aware? If you need more help here, let me know?
ASKER
Ok lrmoore. I have purchased a Cisco Pix 506e and a Cisco 2950T switch. I've had 2 x CCNP's in to configure it but neither can get it working. Where can I find someone qualified to configure this setup for me?
I'm confident that I could get it working for you in very short order, but I'm expensive to travel onsite.
If you want to post a new question to help you get it set up, I'm sure we've got a few people here that can help walk you through it step by step. Post a link the the new question here so that I know when you've posted it.
If you want to post a new question to help you get it set up, I'm sure we've got a few people here that can help walk you through it step by step. Post a link the the new question here so that I know when you've posted it.
ASKER
pixfirewall(config)# int e1 vlan2 physical
pixfirewall(config)# int e1 vlan3 logical
Interface limit (2) reached.
Unable to create logical interface.
Internal Error: Unable to initialize logical interface.
Why can't I create a VLAN interface?
pixfirewall(config)# int e1 vlan3 logical
Interface limit (2) reached.
Unable to create logical interface.
Internal Error: Unable to initialize logical interface.
Why can't I create a VLAN interface?
What OS version on the PIX?
The 506e only suports 2 VLANS on each interface
The 506e only suports 2 VLANS on each interface
ASKER
6.3 (3). I'm trying to follow your recommendation above, but having trouble getting it working. Am I missing something. Is it possible to do a DMZ with the pix 506E?
Yes, it is possible to do a dmz, but only with VLAN's and only one since the 506 will only support 2 vlans
VLAN1 = Local LAN
VLAN2 = DMZ
VLAN1 = Local LAN
VLAN2 = DMZ
ASKER
So if we have the outside interface setup facing the internet, can we still have vlan1 and vlan 2 on the inside interface?
yes..
ASKER
Ok, I did the right thing and opened up a new post for this issue. lrmoore, would you mind posting a reply to my last post here:
https://www.experts-exchange.com/questions/21462435/Pix506E-DMZ-issue.html#14247786.
I really appreciate your help. Thanks!
https://www.experts-exchange.com/questions/21462435/Pix506E-DMZ-issue.html#14247786.
I really appreciate your help. Thanks!
ASKER
LRMOORE!! I purchased a Pix 506E based on your recommendation here. Now people are telling me that it won't work with 3 interfaces. Can you please read through and respond to this question?
https://www.experts-exchange.com/questions/21462435/Pix506E-DMZ-issue.html
https://www.experts-exchange.com/questions/21462435/Pix506E-DMZ-issue.html
Alternatively, u can also do the NAT if u r using a router.
In your scenario u can use a Cisco 1600 Sereis router with a WIC card (Wan Interface Card).
Pls let me know if u need more information.