My Company has about 30 internet enabled workstations. Currently, we have a Cisco 1720 Router at the Border between ISP and our Firewall. The firewall is one I built myself out of a Multihomed Linux Fedora 2 machine running iptables. I am also running a Squid Proxy Server which is caching our traffic and logging sites workstations are visiting.
The money has come through to purchase a firewall, so I was looking at a PIX 506. However, I want to make sure this will do what I want.
Here is what I want to do.
VPN Access from Remote Site (basically to login from home and run VNC, or View Security Cameras)
Email Web-Access from the Web for our Exchange Users
Internet Access to the 30 Workstations in the Building
Possible offloading 10% of our website and redirecting it back home (here) for specialized data access (like viewing accounts, billing information) *this is LEAST important
Here is what we have now:
On the Serial Interface of the Cisco Border Router, we have single IP address. This IP address is NAT'd on the Router to "share" it with the entire building.
NO EMAIL in house (currently outsourced, but we will be purchasing Exchange to do this)
Because I have limited experience in this area, and know enough to get me in trouble, I need to know whether or not I need a block of addresses from my ISP to accomplish all of this, or would I be ok to forward through the NAT on the router to the services I need? What are the PROs/CONs of doing it either way. From my understand, IPsec cannot traverse NAT, making VPN a possible problem.
Also, do I really need to purchase a hardware firewall? THe linux seems to be doing the trick and beyond what firewalls on the market can do as far as logging sites, etc. The only thing I worry about it that it works so well that in 2 years when the HDD crashes and I need to fix it, I will forget how it worked and it will take a longer period of downtime.
Appreciate your Thoughts,