Solved

Firewall solution needed

Posted on 2004-09-23
25
980 Views
Last Modified: 2013-11-16
I'm trying host about 10 - 12 websites on my Windows 2003 server.  I have a single server that functions as a print / file / DHCP / exchange / web server.  It has two network cards - a 10/100 and a 1000.  Right now I think its set up very poorly because I was in a hurry.  I have a cable modem connection with a block of 13 public IP addresses.  I have a watchguard firebox soho 6.  I have the external interface on the watchguard firewall setup for a static public ip.  The firewall connects to a switch which the 1000 nic on the server plugs into and has a static internal ip of 192.168.111.100.  

Now, where I think the problem is on the second 10/100 network card.  I have assigned it about 10 other public ip addresses and its connected directly to the cable modem - no firewall.  I don't see the point of having a firewall on one server nic and not the other, but  I can only assign 1 ip address to the external interface on the watchguard firebox.  Can this be right??  If it is right, who makes a similar firewall that will allow me to assign multiple external ip address's and have them NAT to different internal IP's on the server.  Basically, I need to be able to host a bunch of websites, enable outlook web access for my employees, but keep all of my confidential information on the same server secure.
0
Comment
Question by:dkuhlman
  • 10
  • 9
  • 3
  • +3
25 Comments
 
LVL 1

Expert Comment

by:cool_apj
Comment Utility
u can use a Cisco based Pix firewall and then NAT all ur external IP's to Internal IP's.
Alternatively, u can also do the NAT if u r using a router.
In your scenario u can use a Cisco 1600 Sereis router with a WIC card (Wan Interface Card).
Pls let me know if u need more information.

0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
Hi again :-)

Like I said, if you want to stay in the consumer end of the market then look at www.draytek.co.uk. Their routers , both ethernet and adsl, allow for multi NAT (multiple public IP's) and the firewall is actually not bad at all. Of course the  low end PIX's will do but be careful of the user limit. OR I managed to but a Nokia IP 330 running Checkpoint on ebay for £300 and that will cope just fine with what you want to do. The interface is nice too. I'm not sure if thier low end Safe@Office products allow for multiple external IP addresses but I've been told they do.

Cheers
Julian

(any news on the DCOM issue? Did you manage to get a filtered regmon output? :-)

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>Basically, I need to be able to host a bunch of websites, enable outlook web access for my employees, but keep all of my confidential information on the same server secure.
My $.02 - if you're really that concerned about keeping information confidential, you would never put it on the same server accessed by the general public. Especially if that server was running Microsoft server OS. -
Having said that, you really need to get something other than a SOHO appliance. I am a big fan of the Cisco PIX and it will do everything you need it to.
The problem you are facing on the current setup is that you can only have one default gateway active on the server. That default gateway needs to point to the firewall, yet you have this other NIC hanging out there that needs to respond to public IP's, too.  You need to disable that extra outside NIC and only use one.
0
 

Author Comment

by:dkuhlman
Comment Utility
Are the new pix firewalls command line only, or has Cisco come up with a nice gui?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes, very nice web-based (java) GUI.. it really is slick..

It is called the Pix Device Manager (PDM) and is resident right on the PIX.
0
 

Author Comment

by:dkuhlman
Comment Utility
>My $.02 - if you're really that concerned about keeping information confidential, you would never put it on the same server accessed by the general public. Especially if that server was running Microsoft server OS. -

So lets say I add another server that will only host websites.  Would I make it part of my domain?  
0
 

Author Comment

by:dkuhlman
Comment Utility
Looks like their are a ton of different pix models out there.  I need something that can support up to 10 vpn tunnels.  I'd like to have no user limitations.  We get many PC's in here for repair, and I'm always having to reboot the Watchguard firebox in order to reset the user count.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
No, I would not make it part of the domain.
I would place it into a separate public service network segment (DMZ).
If the web server(s) need to talk to backend servers, like SQL or DB server, then you can limit traffic through the firewall to just that traffic without having all the requisite ports open for AD (have you seen the list? Sheesh, the firewall becomes pure swiss cheese)..

The PIX 515e is the lowest end model that has a true DMZ interface. Street price for Restricted license 515e-DMZ model is about $2800

If you have a switch that is VLAN capable, you can get away with the 506e that does trunking and you can use VLANs for you private/ public zones.
0
 

Expert Comment

by:dldigital
Comment Utility
If data security is an issue and it appears to be. I would definitely go the DMZ route, it will provide you the isolation that your confidential data requires. "Due care and Diligence" is the rule in cases like this.
0
 

Author Comment

by:dkuhlman
Comment Utility
The 515e is out of my price range.  So far my plan is to pick up a Cisco PIX 506e and a Cisco Catalyst 2950 24 Port WS-2950T-24 switch.  Does this switch support VLAN's?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes. Excellent choice for a compromise.
0
 
LVL 1

Expert Comment

by:cool_apj
Comment Utility
Good Choice...
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 1

Expert Comment

by:cool_apj
Comment Utility
Alternatively, if u r looking for a cost effective solution u can have a Cisco router and use NATing. U can make ur  cisco router perform like a Firewall and completely elimintae the need of firewall. U can define Access lists, and Ports and lot of other things.

Infact, the router cld perform as good as the firewall. wat do u say Irmoore.

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>wat do u say Irmoore
I'll take the bait. Here's what I say (notice that I use complete English, not kiddie "textspeak")

A router is designed for one purpose - to move packets
A firewall is designed for one purpose - to block packets

A router with NAT and access-lists may be adequate in some instances where security is not an issue, but it does not have anywhere near the security functions built into a firewall. No Stateful packet inspection, no Intrusion detection, no VPN capabilities, no deep-packet inspection (fixup), no GUI, no hardened OS backend. Yes, you can add some of these features to the IOS router for a lot more money (IP/FW/IDS/IPSEC feature sets)  and turn a router into a pseudo-firewall, but it's still a kludge of adding firewall features to a device that was built for the sole purpose of moving packets from one interface to the other as fast as possible. A PIX has all these features. It does not run IOS, it has deep packet inspection, Adaptive Security SPI, Intrusion detection, VPN capabilities, and many other features simply not available on a router. The PIX was designed from the ground up to be the best firewall on the market.

So my answer is - no, a router cannot perform as well as a firewall. Let routers do what they do best, and get the right product for your security.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> ..  but keep all of my confidential information on the same server secure.
first I'll cc: lrmoore (firewall box, DMZ, M$ OS, etc.)
Then I'll add another 2 pence: did you think about web application security?
I.g. its no problem to hack M$ SQL server, even behind several (network) firewalls, and even (mis-)use it to map/hack anything else connected to that server.
Are you aware? If you need more help here, let me know?
0
 

Author Comment

by:dkuhlman
Comment Utility
Ok lrmoore.  I have purchased a Cisco Pix 506e and a Cisco 2950T switch.  I've had 2 x CCNP's in to configure it but neither can get it working.  Where can I find someone qualified to configure this setup for me?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I'm confident that I could get it working for you in very short order, but I'm expensive to travel onsite.
If you want to post a new question to help you get it set up, I'm sure we've got a few people here that can help walk you through it step by step. Post a link the the new question here so that I know when you've posted it.
0
 

Author Comment

by:dkuhlman
Comment Utility
pixfirewall(config)# int e1 vlan2 physical
pixfirewall(config)# int e1 vlan3 logical
Interface limit (2) reached.
Unable to create logical interface.
Internal Error: Unable to initialize logical interface.


Why can't I create a VLAN interface?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
What OS version on the PIX?
The 506e only suports 2 VLANS on each interface


0
 

Author Comment

by:dkuhlman
Comment Utility
6.3 (3).  I'm trying to follow your recommendation above, but having trouble getting it working.  Am I missing something.  Is it possible to do a DMZ with the pix 506E?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes, it is possible to do a dmz, but only with VLAN's and only one since the 506 will only support 2 vlans
VLAN1 = Local LAN
VLAN2 = DMZ
 
0
 

Author Comment

by:dkuhlman
Comment Utility
So if we have the outside interface setup facing the internet, can we still have vlan1 and vlan 2 on the inside interface?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
yes..
0
 

Author Comment

by:dkuhlman
Comment Utility
Ok, I did the right thing and opened up a new post for this issue.  lrmoore, would you mind posting a reply to my last post here:  

http://www.experts-exchange.com/Security/Q_21462435.html#14247786.  

I really appreciate your help.  Thanks!
0
 

Author Comment

by:dkuhlman
Comment Utility
LRMOORE!!  I purchased a Pix 506E based on your recommendation here.  Now people are telling me that it won't work with 3 interfaces.  Can you please read through and respond to this question?

http://www.experts-exchange.com/Security/Q_21462435.html
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
systemdown@india.com and McAfee 3 63
Monitoring software... 2 44
Is KairosPlanet a fraud? 6 39
SRX240 SYSLOG Setting 6 50
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now