Solved

Double router

Posted on 2004-10-21
377 Views
Last Modified: 2013-12-04
Hello,

If 1 part of this post should be continued with another 500 points added let me know.  I will close questions out and continue them as appropriate.  I have unlimited points, because I have a paid membership.  I want to make sure I set this up right.

I am setting up A Dell Poweredge 1600sc Server with windows 2003 SBS that is allready connected to a peer to peer network.
It is using a linksys router with a broadband connection (sole firewall NAT) email and and port 80 forwarded to an existing workstation running IIS .  With the server I also picked up a WATCHGAURD FIREBOX SOHO 6 Firewall.

I need some ideas about security.

Is there any value to leaving the lynksys as the connection to broadband and setting up the server and or the other devices on the soho thereby having double NAT.  If I do this and I use a different range off IP for the two different networks (10.xxx and 198.xxx)

OK this can be the first part of the question.  
0
Question by:dtolo
    13 Comments
     
    LVL 3

    Expert Comment

    by:Gargantubrain
    One problem with two (nested) NAT's is that you will have to configure the forwarding on both devices every time you need a port opened.

    Take port 80 for example.

    If your internet address is 61.62.63.64 then you have to configure the outside router to forward 61.62.63.64:80 to 192.168.1.1:80
    Then you have to configure the inside router to forward 192.168.1.1:80 to 10.0.0.2:80 (your real web server)
    0
     
    LVL 3

    Expert Comment

    by:Gargantubrain
    Another problem is that SBS 2003 itself can also be the firewall, if you have two network cards in it. You could end up with a third firewall there :-)
    0
     

    Expert Comment

    by:mdubon3
    I would not do it unless I really need the extra layer.  adding an extra layer means adding more latency on your connection.  usually this is a bad idea unless it is absolutely necessary.

    0
     
    LVL 2

    Author Comment

    by:dtolo
    Well how much more secure does it make the network?
    0
     
    LVL 2

    Author Comment

    by:dtolo
    Mdubon,

    how much more latency?
    0
     
    LVL 3

    Assisted Solution

    by:Gargantubrain
    As far as extra security, it gives you multiple "zones"

    DMZ (no filtering, exposed IP addresses)

    --- First firewall ---

    First zone (behind one firewall, filtering applies to traffic in and out of Internet, and in and out of 2nd zone)

    --- 2nd firewall ---

    Second zone (behind two firewalls, filtering applies to traffic in and out of 2nd zone)

    ...

    So if someone were to "hack" all the way into the 2nd zone, they would have to break through more than one layer (or come in through a port you opened through both layers).

    Latency is going to depend on your hardware. Pings will definitely have higher round trip times. You would notice it more on highly interactive two-way traffic like games. You would not likely see a decrease in large transfer speeds like file downloads and uploads, because your Internet connection itself is the bottleneck and TCP/IP handles packet lag pretty well.
    0
     
    LVL 2

    Author Comment

    by:dtolo
    Gargantubrain,

    i like your answer.  I will be port forwarding to the 2003 SBS server because it is my mail and web server.  What should I do to sedure this and is the two firewalls of no value in this scenerio, because I am port forwarding?
    0
     
    LVL 4

    Accepted Solution

    by:
    The thing with SBS is that is has ISA 2000 built-in.  If you haven't already done so, you should talk to your vendor.  We attended a TechNet event on ISA 2004 and the speaker said that SBS 2003 users could get an upgrade to ISA 2004, either free or cheap, I don't remember.

    As far as security goes, I always recommend a dual-firewall setup.  Sure there's some added complexity, but by using firewalls from 2 different vendors, a vulnerability in your external firewall probably does not exist in your internal one.  So, even if they exploit that external firewall, now they have an entirely different one that they have to try to get past.  Plus, with ISA server you can publish that internal IIS server through it, rather than doing a simple port forward, picking up a lot of extra security on the way.

    Also, keep in mind that linksys router is a very simple device.  It doesn't do any of the fancy stuff that ISA can do, like IDS, packet inspection, secure server publishing, caching.

    Gargantubrain brings up a good point.  Your users probably aren't going to notice the higher latency unless they're gaming.  And should they be doing that at work?  No.  If you use the Acceleration portion of ISA server (caching), they should actually experience a seemingly faster Internet experience for those frequently accessed sites, because they're cached on your server.

    There's a lot of stuff ISA can do.  You've already paid for it, so you might as well use it.  Check out http://www.isaserver.org/ for more info.  I also have the Security Hardening Guide for ISA 2004.  Damned if I can remember where I got it from, but I'll email it to you if you want.  Also, if you're going to stick with ISA 2000, the NSA put out a pretty good guide, as I recall.  Their security guides are available from http://www.nsa.gov/snac/.

    I just caught that you now have a firebox, also.  Step up to ISA 2004, and you can do multiple Internet connections from that box with just an extra NIC.  So, you could have 2 low-end broadband connections instead of 1 expensive high-end.  You wouldn't even need a static ip on that 2nd connection and could just use it for browsing.  Now, your other line is less saturated and can do a more efficient job of serving your web pages.
    0
     
    LVL 2

    Author Comment

    by:dtolo
    Hello,

    Werewolf I think we are definately getting somewhere here, if you want to send me material it's david at tolo dot us
    If anyone can let me know how to implement and install isa 2004 for free on sbs 2003 I would be psyched.  I am going to split up some point and continue this question now.

    Thanks guys,
    ~David
    0
     
    LVL 2

    Author Comment

    by:dtolo
    0
     
    LVL 4

    Expert Comment

    by:WerewolfTA
    Thanks for the points.  I emailed you that document.  I just looked around for the isa 2004 upgrade.  It appears that it will be included as part of sp1 for sbs2003 premium (forgot that they started offering 2 versions of sbs with 2003).  If you don't have premium, ISA isn't included.  MS is saying on its website (http://www.microsoft.com/windowsserver2003/sbs/techinfo/overview/generalfaq.mspx) that sp1 will ship shortly after sp1 for regular Server 2003, but no definited timeframe yet.  But, get this, they may charge for the service pack.  The details are under the New Product Upgrades section.  Kind of like how the free Real Time Communications Services became Live Communications Server with a price tag and cal's.  Go Microsoft!  Charge us for all you can!
    0
     
    LVL 2

    Author Comment

    by:dtolo
    Bummer,

    I don't know if I can get these guys to spring for more software and I didn't get the premium edition.  The guide will help though and there are some good security links on it.  I will continue any other questions I have about all of this on the link above.
    0
     
    LVL 7

    Expert Comment

    by:tymes
    UPnP wouldn't work so you might not get some apps like conference or voip (or networked games etc) to work etc.  I would look at setting them up in parallel rather than in series, but again, you could and should lock down the servers and not have to worry too much about the routers.  One reliable router is probably best.

    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now