[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 390
  • Last Modified:

Double router

Hello,

If 1 part of this post should be continued with another 500 points added let me know.  I will close questions out and continue them as appropriate.  I have unlimited points, because I have a paid membership.  I want to make sure I set this up right.

I am setting up A Dell Poweredge 1600sc Server with windows 2003 SBS that is allready connected to a peer to peer network.
It is using a linksys router with a broadband connection (sole firewall NAT) email and and port 80 forwarded to an existing workstation running IIS .  With the server I also picked up a WATCHGAURD FIREBOX SOHO 6 Firewall.

I need some ideas about security.

Is there any value to leaving the lynksys as the connection to broadband and setting up the server and or the other devices on the soho thereby having double NAT.  If I do this and I use a different range off IP for the two different networks (10.xxx and 198.xxx)

OK this can be the first part of the question.  
0
dtolo
Asked:
dtolo
  • 6
  • 3
  • 2
  • +2
2 Solutions
 
GargantubrainCommented:
One problem with two (nested) NAT's is that you will have to configure the forwarding on both devices every time you need a port opened.

Take port 80 for example.

If your internet address is 61.62.63.64 then you have to configure the outside router to forward 61.62.63.64:80 to 192.168.1.1:80
Then you have to configure the inside router to forward 192.168.1.1:80 to 10.0.0.2:80 (your real web server)
0
 
GargantubrainCommented:
Another problem is that SBS 2003 itself can also be the firewall, if you have two network cards in it. You could end up with a third firewall there :-)
0
 
mdubon3Commented:
I would not do it unless I really need the extra layer.  adding an extra layer means adding more latency on your connection.  usually this is a bad idea unless it is absolutely necessary.

0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
dtoloAuthor Commented:
Well how much more secure does it make the network?
0
 
dtoloAuthor Commented:
Mdubon,

how much more latency?
0
 
GargantubrainCommented:
As far as extra security, it gives you multiple "zones"

DMZ (no filtering, exposed IP addresses)

--- First firewall ---

First zone (behind one firewall, filtering applies to traffic in and out of Internet, and in and out of 2nd zone)

--- 2nd firewall ---

Second zone (behind two firewalls, filtering applies to traffic in and out of 2nd zone)

...

So if someone were to "hack" all the way into the 2nd zone, they would have to break through more than one layer (or come in through a port you opened through both layers).

Latency is going to depend on your hardware. Pings will definitely have higher round trip times. You would notice it more on highly interactive two-way traffic like games. You would not likely see a decrease in large transfer speeds like file downloads and uploads, because your Internet connection itself is the bottleneck and TCP/IP handles packet lag pretty well.
0
 
dtoloAuthor Commented:
Gargantubrain,

i like your answer.  I will be port forwarding to the 2003 SBS server because it is my mail and web server.  What should I do to sedure this and is the two firewalls of no value in this scenerio, because I am port forwarding?
0
 
WerewolfTACommented:
The thing with SBS is that is has ISA 2000 built-in.  If you haven't already done so, you should talk to your vendor.  We attended a TechNet event on ISA 2004 and the speaker said that SBS 2003 users could get an upgrade to ISA 2004, either free or cheap, I don't remember.

As far as security goes, I always recommend a dual-firewall setup.  Sure there's some added complexity, but by using firewalls from 2 different vendors, a vulnerability in your external firewall probably does not exist in your internal one.  So, even if they exploit that external firewall, now they have an entirely different one that they have to try to get past.  Plus, with ISA server you can publish that internal IIS server through it, rather than doing a simple port forward, picking up a lot of extra security on the way.

Also, keep in mind that linksys router is a very simple device.  It doesn't do any of the fancy stuff that ISA can do, like IDS, packet inspection, secure server publishing, caching.

Gargantubrain brings up a good point.  Your users probably aren't going to notice the higher latency unless they're gaming.  And should they be doing that at work?  No.  If you use the Acceleration portion of ISA server (caching), they should actually experience a seemingly faster Internet experience for those frequently accessed sites, because they're cached on your server.

There's a lot of stuff ISA can do.  You've already paid for it, so you might as well use it.  Check out http://www.isaserver.org/ for more info.  I also have the Security Hardening Guide for ISA 2004.  Damned if I can remember where I got it from, but I'll email it to you if you want.  Also, if you're going to stick with ISA 2000, the NSA put out a pretty good guide, as I recall.  Their security guides are available from http://www.nsa.gov/snac/.

I just caught that you now have a firebox, also.  Step up to ISA 2004, and you can do multiple Internet connections from that box with just an extra NIC.  So, you could have 2 low-end broadband connections instead of 1 expensive high-end.  You wouldn't even need a static ip on that 2nd connection and could just use it for browsing.  Now, your other line is less saturated and can do a more efficient job of serving your web pages.
0
 
dtoloAuthor Commented:
Hello,

Werewolf I think we are definately getting somewhere here, if you want to send me material it's david at tolo dot us
If anyone can let me know how to implement and install isa 2004 for free on sbs 2003 I would be psyched.  I am going to split up some point and continue this question now.

Thanks guys,
~David
0
 
dtoloAuthor Commented:
0
 
WerewolfTACommented:
Thanks for the points.  I emailed you that document.  I just looked around for the isa 2004 upgrade.  It appears that it will be included as part of sp1 for sbs2003 premium (forgot that they started offering 2 versions of sbs with 2003).  If you don't have premium, ISA isn't included.  MS is saying on its website (http://www.microsoft.com/windowsserver2003/sbs/techinfo/overview/generalfaq.mspx) that sp1 will ship shortly after sp1 for regular Server 2003, but no definited timeframe yet.  But, get this, they may charge for the service pack.  The details are under the New Product Upgrades section.  Kind of like how the free Real Time Communications Services became Live Communications Server with a price tag and cal's.  Go Microsoft!  Charge us for all you can!
0
 
dtoloAuthor Commented:
Bummer,

I don't know if I can get these guys to spring for more software and I didn't get the premium edition.  The guide will help though and there are some good security links on it.  I will continue any other questions I have about all of this on the link above.
0
 
tymesCommented:
UPnP wouldn't work so you might not get some apps like conference or voip (or networked games etc) to work etc.  I would look at setting them up in parallel rather than in series, but again, you could and should lock down the servers and not have to worry too much about the routers.  One reliable router is probably best.

0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 6
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now