Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Double router

Posted on 2004-10-21
13
Medium Priority
?
388 Views
Last Modified: 2013-12-04
Hello,

If 1 part of this post should be continued with another 500 points added let me know.  I will close questions out and continue them as appropriate.  I have unlimited points, because I have a paid membership.  I want to make sure I set this up right.

I am setting up A Dell Poweredge 1600sc Server with windows 2003 SBS that is allready connected to a peer to peer network.
It is using a linksys router with a broadband connection (sole firewall NAT) email and and port 80 forwarded to an existing workstation running IIS .  With the server I also picked up a WATCHGAURD FIREBOX SOHO 6 Firewall.

I need some ideas about security.

Is there any value to leaving the lynksys as the connection to broadband and setting up the server and or the other devices on the soho thereby having double NAT.  If I do this and I use a different range off IP for the two different networks (10.xxx and 198.xxx)

OK this can be the first part of the question.  
0
Comment
Question by:dtolo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +2
13 Comments
 
LVL 3

Expert Comment

by:Gargantubrain
ID: 12375937
One problem with two (nested) NAT's is that you will have to configure the forwarding on both devices every time you need a port opened.

Take port 80 for example.

If your internet address is 61.62.63.64 then you have to configure the outside router to forward 61.62.63.64:80 to 192.168.1.1:80
Then you have to configure the inside router to forward 192.168.1.1:80 to 10.0.0.2:80 (your real web server)
0
 
LVL 3

Expert Comment

by:Gargantubrain
ID: 12375947
Another problem is that SBS 2003 itself can also be the firewall, if you have two network cards in it. You could end up with a third firewall there :-)
0
 

Expert Comment

by:mdubon3
ID: 12377929
I would not do it unless I really need the extra layer.  adding an extra layer means adding more latency on your connection.  usually this is a bad idea unless it is absolutely necessary.

0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 2

Author Comment

by:dtolo
ID: 12379587
Well how much more secure does it make the network?
0
 
LVL 2

Author Comment

by:dtolo
ID: 12379609
Mdubon,

how much more latency?
0
 
LVL 3

Assisted Solution

by:Gargantubrain
Gargantubrain earned 800 total points
ID: 12380462
As far as extra security, it gives you multiple "zones"

DMZ (no filtering, exposed IP addresses)

--- First firewall ---

First zone (behind one firewall, filtering applies to traffic in and out of Internet, and in and out of 2nd zone)

--- 2nd firewall ---

Second zone (behind two firewalls, filtering applies to traffic in and out of 2nd zone)

...

So if someone were to "hack" all the way into the 2nd zone, they would have to break through more than one layer (or come in through a port you opened through both layers).

Latency is going to depend on your hardware. Pings will definitely have higher round trip times. You would notice it more on highly interactive two-way traffic like games. You would not likely see a decrease in large transfer speeds like file downloads and uploads, because your Internet connection itself is the bottleneck and TCP/IP handles packet lag pretty well.
0
 
LVL 2

Author Comment

by:dtolo
ID: 12380774
Gargantubrain,

i like your answer.  I will be port forwarding to the 2003 SBS server because it is my mail and web server.  What should I do to sedure this and is the two firewalls of no value in this scenerio, because I am port forwarding?
0
 
LVL 4

Accepted Solution

by:
WerewolfTA earned 1200 total points
ID: 12380899
The thing with SBS is that is has ISA 2000 built-in.  If you haven't already done so, you should talk to your vendor.  We attended a TechNet event on ISA 2004 and the speaker said that SBS 2003 users could get an upgrade to ISA 2004, either free or cheap, I don't remember.

As far as security goes, I always recommend a dual-firewall setup.  Sure there's some added complexity, but by using firewalls from 2 different vendors, a vulnerability in your external firewall probably does not exist in your internal one.  So, even if they exploit that external firewall, now they have an entirely different one that they have to try to get past.  Plus, with ISA server you can publish that internal IIS server through it, rather than doing a simple port forward, picking up a lot of extra security on the way.

Also, keep in mind that linksys router is a very simple device.  It doesn't do any of the fancy stuff that ISA can do, like IDS, packet inspection, secure server publishing, caching.

Gargantubrain brings up a good point.  Your users probably aren't going to notice the higher latency unless they're gaming.  And should they be doing that at work?  No.  If you use the Acceleration portion of ISA server (caching), they should actually experience a seemingly faster Internet experience for those frequently accessed sites, because they're cached on your server.

There's a lot of stuff ISA can do.  You've already paid for it, so you might as well use it.  Check out http://www.isaserver.org/ for more info.  I also have the Security Hardening Guide for ISA 2004.  Damned if I can remember where I got it from, but I'll email it to you if you want.  Also, if you're going to stick with ISA 2000, the NSA put out a pretty good guide, as I recall.  Their security guides are available from http://www.nsa.gov/snac/.

I just caught that you now have a firebox, also.  Step up to ISA 2004, and you can do multiple Internet connections from that box with just an extra NIC.  So, you could have 2 low-end broadband connections instead of 1 expensive high-end.  You wouldn't even need a static ip on that 2nd connection and could just use it for browsing.  Now, your other line is less saturated and can do a more efficient job of serving your web pages.
0
 
LVL 2

Author Comment

by:dtolo
ID: 12381525
Hello,

Werewolf I think we are definately getting somewhere here, if you want to send me material it's david at tolo dot us
If anyone can let me know how to implement and install isa 2004 for free on sbs 2003 I would be psyched.  I am going to split up some point and continue this question now.

Thanks guys,
~David
0
 
LVL 2

Author Comment

by:dtolo
ID: 12381650
0
 
LVL 4

Expert Comment

by:WerewolfTA
ID: 12381935
Thanks for the points.  I emailed you that document.  I just looked around for the isa 2004 upgrade.  It appears that it will be included as part of sp1 for sbs2003 premium (forgot that they started offering 2 versions of sbs with 2003).  If you don't have premium, ISA isn't included.  MS is saying on its website (http://www.microsoft.com/windowsserver2003/sbs/techinfo/overview/generalfaq.mspx) that sp1 will ship shortly after sp1 for regular Server 2003, but no definited timeframe yet.  But, get this, they may charge for the service pack.  The details are under the New Product Upgrades section.  Kind of like how the free Real Time Communications Services became Live Communications Server with a price tag and cal's.  Go Microsoft!  Charge us for all you can!
0
 
LVL 2

Author Comment

by:dtolo
ID: 12382331
Bummer,

I don't know if I can get these guys to spring for more software and I didn't get the premium edition.  The guide will help though and there are some good security links on it.  I will continue any other questions I have about all of this on the link above.
0
 
LVL 7

Expert Comment

by:tymes
ID: 12623133
UPnP wouldn't work so you might not get some apps like conference or voip (or networked games etc) to work etc.  I would look at setting them up in parallel rather than in series, but again, you could and should lock down the servers and not have to worry too much about the routers.  One reliable router is probably best.

0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question