Firewall Protection for New MS Small Biz 2003 Server

Greetings all,

I'm a total newbie at MS Small Biz Server.  I know enough about networking to be dangerous to myself and those around me.

The MS instructions seem to be incomprehensible murk.

Many questions:  What is the best (most secure) way to hook our new server up the the Internet?  Right now, it's behind a Symantec Security Appliance.  The serever has 2 NICs.  We want to host our own SSL extranet, as well as have ftp, mail, & etc.

Hardware firewall a good idea?  If yes, then which one?  Will the Symantec work?  Or would a Cisco PIX or NetScreen 5GT (or something else) be better?

We have purchased 5 fixed IPs.  A regular website would use one of the IPs.  The SSL extranet uses another.  How do you do the routing so that a user can get through to the correct IP?

Thanks in advance,

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There are plenty options you need to weigh when picking a FW. Such as port forwarding, bandwith utilization and restrictions, NAT, VPN capability, ease of use, cost etc etc.
I would use Juniper NetScreen FW/VPN's. But depending on your bandwith and other needs as to which model to go with.

If your servers are on a private IP space, and you have 5 public, then you can use MIP or VIP on a Netscreen to get external people to connect.

Here is a FW' buyers guide, granted it's from  juniper so it might be slighted towards them but gives you an Idea.

Refference these 2.
raortmanAuthor Commented:
Hi jabiii,

Thank you for your comment and the links.  

Query:  How does the NetScreen handle the public IPs?  If I were hooking the server straight to the net, I could drop all our public IPs into its front NIC.  How do you accomplish the same goal with a router?  Sorry, I don't know the first thing about MIP or VIP...

Well there are obviously alot of possible configurations you could use, using netscreen or not.

lets say you are using netscreen
you can use layer 3 solution or layer2

in layer 2 solution your servers would all have their public IP's and the FW/VPN would have 1 of the IP addresses, and would be like this...
ISP gateway <> NS <> Servers
All traffic to and from the servers would be going through the Netscreen, but not being routed by it, only acting as a transparent Firewall. (hence transparent mode)

IPS Gateway <> NS <> servers/computers
IN this case all traffic from anything on the right (comps/servers) would use the default gateway of the NS and be routed to/from the internet.
coming from the outside. the netscreen would have basically a listing of all 5 of the public IP's, keeping 1 public for it'self. and assigns the other 4 IP's directly to one of the internal servers, or maps the public IP's and which port is being used, to the correct server..

Using MIP. (mapped IP) any connection to would be sent to server for example.

Using VIP. anything connecting to port 80 on IP would be sent ot 192.x.x.3 any port 22 sent to 1..1.1.3 would be sent to server 192.x.x.4, any thing sent to port 25 at would be sent to server 192.x.x.5 etc, you can send the ports anywhere you want. if you have 2 internal servers using the same port then you would use a secondary external address. etc etc etc

Junipers website has reall good info for you.
this help?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.