Solved

Firewall solution needed

Posted on 2004-09-23
25
993 Views
Last Modified: 2013-11-16
I'm trying host about 10 - 12 websites on my Windows 2003 server.  I have a single server that functions as a print / file / DHCP / exchange / web server.  It has two network cards - a 10/100 and a 1000.  Right now I think its set up very poorly because I was in a hurry.  I have a cable modem connection with a block of 13 public IP addresses.  I have a watchguard firebox soho 6.  I have the external interface on the watchguard firewall setup for a static public ip.  The firewall connects to a switch which the 1000 nic on the server plugs into and has a static internal ip of 192.168.111.100.  

Now, where I think the problem is on the second 10/100 network card.  I have assigned it about 10 other public ip addresses and its connected directly to the cable modem - no firewall.  I don't see the point of having a firewall on one server nic and not the other, but  I can only assign 1 ip address to the external interface on the watchguard firebox.  Can this be right??  If it is right, who makes a similar firewall that will allow me to assign multiple external ip address's and have them NAT to different internal IP's on the server.  Basically, I need to be able to host a bunch of websites, enable outlook web access for my employees, but keep all of my confidential information on the same server secure.
0
Comment
Question by:dkuhlman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
  • 3
  • +3
25 Comments
 
LVL 1

Expert Comment

by:cool_apj
ID: 12140834
u can use a Cisco based Pix firewall and then NAT all ur external IP's to Internal IP's.
Alternatively, u can also do the NAT if u r using a router.
In your scenario u can use a Cisco 1600 Sereis router with a WIC card (Wan Interface Card).
Pls let me know if u need more information.

0
 
LVL 3

Expert Comment

by:Julian_C
ID: 12142153
Hi again :-)

Like I said, if you want to stay in the consumer end of the market then look at www.draytek.co.uk. Their routers , both ethernet and adsl, allow for multi NAT (multiple public IP's) and the firewall is actually not bad at all. Of course the  low end PIX's will do but be careful of the user limit. OR I managed to but a Nokia IP 330 running Checkpoint on ebay for £300 and that will cope just fine with what you want to do. The interface is nice too. I'm not sure if thier low end Safe@Office products allow for multiple external IP addresses but I've been told they do.

Cheers
Julian

(any news on the DCOM issue? Did you manage to get a filtered regmon output? :-)

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12142789
>Basically, I need to be able to host a bunch of websites, enable outlook web access for my employees, but keep all of my confidential information on the same server secure.
My $.02 - if you're really that concerned about keeping information confidential, you would never put it on the same server accessed by the general public. Especially if that server was running Microsoft server OS. -
Having said that, you really need to get something other than a SOHO appliance. I am a big fan of the Cisco PIX and it will do everything you need it to.
The problem you are facing on the current setup is that you can only have one default gateway active on the server. That default gateway needs to point to the firewall, yet you have this other NIC hanging out there that needs to respond to public IP's, too.  You need to disable that extra outside NIC and only use one.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:dkuhlman
ID: 12143779
Are the new pix firewalls command line only, or has Cisco come up with a nice gui?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12143825
Yes, very nice web-based (java) GUI.. it really is slick..

It is called the Pix Device Manager (PDM) and is resident right on the PIX.
0
 

Author Comment

by:dkuhlman
ID: 12143828
>My $.02 - if you're really that concerned about keeping information confidential, you would never put it on the same server accessed by the general public. Especially if that server was running Microsoft server OS. -

So lets say I add another server that will only host websites.  Would I make it part of my domain?  
0
 

Author Comment

by:dkuhlman
ID: 12143860
Looks like their are a ton of different pix models out there.  I need something that can support up to 10 vpn tunnels.  I'd like to have no user limitations.  We get many PC's in here for repair, and I'm always having to reboot the Watchguard firebox in order to reset the user count.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12143914
No, I would not make it part of the domain.
I would place it into a separate public service network segment (DMZ).
If the web server(s) need to talk to backend servers, like SQL or DB server, then you can limit traffic through the firewall to just that traffic without having all the requisite ports open for AD (have you seen the list? Sheesh, the firewall becomes pure swiss cheese)..

The PIX 515e is the lowest end model that has a true DMZ interface. Street price for Restricted license 515e-DMZ model is about $2800

If you have a switch that is VLAN capable, you can get away with the 506e that does trunking and you can use VLANs for you private/ public zones.
0
 

Expert Comment

by:dldigital
ID: 12146973
If data security is an issue and it appears to be. I would definitely go the DMZ route, it will provide you the isolation that your confidential data requires. "Due care and Diligence" is the rule in cases like this.
0
 

Author Comment

by:dkuhlman
ID: 12147049
The 515e is out of my price range.  So far my plan is to pick up a Cisco PIX 506e and a Cisco Catalyst 2950 24 Port WS-2950T-24 switch.  Does this switch support VLAN's?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12147126
Yes. Excellent choice for a compromise.
0
 
LVL 1

Expert Comment

by:cool_apj
ID: 12150143
Good Choice...
0
 
LVL 1

Expert Comment

by:cool_apj
ID: 12150193
Alternatively, if u r looking for a cost effective solution u can have a Cisco router and use NATing. U can make ur  cisco router perform like a Firewall and completely elimintae the need of firewall. U can define Access lists, and Ports and lot of other things.

Infact, the router cld perform as good as the firewall. wat do u say Irmoore.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12150259
>wat do u say Irmoore
I'll take the bait. Here's what I say (notice that I use complete English, not kiddie "textspeak")

A router is designed for one purpose - to move packets
A firewall is designed for one purpose - to block packets

A router with NAT and access-lists may be adequate in some instances where security is not an issue, but it does not have anywhere near the security functions built into a firewall. No Stateful packet inspection, no Intrusion detection, no VPN capabilities, no deep-packet inspection (fixup), no GUI, no hardened OS backend. Yes, you can add some of these features to the IOS router for a lot more money (IP/FW/IDS/IPSEC feature sets)  and turn a router into a pseudo-firewall, but it's still a kludge of adding firewall features to a device that was built for the sole purpose of moving packets from one interface to the other as fast as possible. A PIX has all these features. It does not run IOS, it has deep packet inspection, Adaptive Security SPI, Intrusion detection, VPN capabilities, and many other features simply not available on a router. The PIX was designed from the ground up to be the best firewall on the market.

So my answer is - no, a router cannot perform as well as a firewall. Let routers do what they do best, and get the right product for your security.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12154042
> ..  but keep all of my confidential information on the same server secure.
first I'll cc: lrmoore (firewall box, DMZ, M$ OS, etc.)
Then I'll add another 2 pence: did you think about web application security?
I.g. its no problem to hack M$ SQL server, even behind several (network) firewalls, and even (mis-)use it to map/hack anything else connected to that server.
Are you aware? If you need more help here, let me know?
0
 

Author Comment

by:dkuhlman
ID: 13899741
Ok lrmoore.  I have purchased a Cisco Pix 506e and a Cisco 2950T switch.  I've had 2 x CCNP's in to configure it but neither can get it working.  Where can I find someone qualified to configure this setup for me?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13900487
I'm confident that I could get it working for you in very short order, but I'm expensive to travel onsite.
If you want to post a new question to help you get it set up, I'm sure we've got a few people here that can help walk you through it step by step. Post a link the the new question here so that I know when you've posted it.
0
 

Author Comment

by:dkuhlman
ID: 14245445
pixfirewall(config)# int e1 vlan2 physical
pixfirewall(config)# int e1 vlan3 logical
Interface limit (2) reached.
Unable to create logical interface.
Internal Error: Unable to initialize logical interface.


Why can't I create a VLAN interface?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14245640
What OS version on the PIX?
The 506e only suports 2 VLANS on each interface


0
 

Author Comment

by:dkuhlman
ID: 14246144
6.3 (3).  I'm trying to follow your recommendation above, but having trouble getting it working.  Am I missing something.  Is it possible to do a DMZ with the pix 506E?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14246478
Yes, it is possible to do a dmz, but only with VLAN's and only one since the 506 will only support 2 vlans
VLAN1 = Local LAN
VLAN2 = DMZ
 
0
 

Author Comment

by:dkuhlman
ID: 14246549
So if we have the outside interface setup facing the internet, can we still have vlan1 and vlan 2 on the inside interface?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14246839
yes..
0
 

Author Comment

by:dkuhlman
ID: 14280623
Ok, I did the right thing and opened up a new post for this issue.  lrmoore, would you mind posting a reply to my last post here:  

http://www.experts-exchange.com/Security/Q_21462435.html#14247786.  

I really appreciate your help.  Thanks!
0
 

Author Comment

by:dkuhlman
ID: 14387809
LRMOORE!!  I purchased a Pix 506E based on your recommendation here.  Now people are telling me that it won't work with 3 interfaces.  Can you please read through and respond to this question?

http://www.experts-exchange.com/Security/Q_21462435.html
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question