[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Firewall Protection for New MS Small Biz 2003 Server

Posted on 2006-04-17
3
Medium Priority
?
295 Views
Last Modified: 2013-11-16
Greetings all,

I'm a total newbie at MS Small Biz Server.  I know enough about networking to be dangerous to myself and those around me.

The MS instructions seem to be incomprehensible murk.

Many questions:  What is the best (most secure) way to hook our new server up the the Internet?  Right now, it's behind a Symantec Security Appliance.  The serever has 2 NICs.  We want to host our own SSL extranet, as well as have ftp, mail, & etc.

Hardware firewall a good idea?  If yes, then which one?  Will the Symantec work?  Or would a Cisco PIX or NetScreen 5GT (or something else) be better?

We have purchased 5 fixed IPs.  A regular website would use one of the IPs.  The SSL extranet uses another.  How do you do the routing so that a user can get through to the correct IP?

Thanks in advance,

/RO/
0
Comment
Question by:raortman
  • 2
3 Comments
 
LVL 9

Expert Comment

by:jabiii
ID: 16478993
There are plenty options you need to weigh when picking a FW. Such as port forwarding, bandwith utilization and restrictions, NAT, VPN capability, ease of use, cost etc etc.
I would use Juniper NetScreen FW/VPN's. But depending on your bandwith and other needs as to which model to go with.

If your servers are on a private IP space, and you have 5 public, then you can use MIP or VIP on a Netscreen to get external people to connect.

Here is a FW' buyers guide, granted it's from  juniper so it might be slighted towards them but gives you an Idea.
https://www.juniper.net/solutions/literature/buyer_guide/710008.pdf

Refference these 2.
http://www.experts-exchange.com/Security/Firewalls/Q_21811815.html
http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21704713.html
0
 

Author Comment

by:raortman
ID: 16479105
Hi jabiii,

Thank you for your comment and the links.  

Query:  How does the NetScreen handle the public IPs?  If I were hooking the server straight to the net, I could drop all our public IPs into its front NIC.  How do you accomplish the same goal with a router?  Sorry, I don't know the first thing about MIP or VIP...

/RO/
0
 
LVL 9

Accepted Solution

by:
jabiii earned 1000 total points
ID: 16479289
Well there are obviously alot of possible configurations you could use, using netscreen or not.

lets say you are using netscreen
you can use layer 3 solution or layer2

in layer 2 solution your servers would all have their public IP's and the FW/VPN would have 1 of the IP addresses, and would be like this...
ISP gateway 1.1.1.1 <> NS 1.1.1.2 <> Servers 1.1.1.3-6
All traffic to and from the servers would be going through the Netscreen, but not being routed by it, only acting as a transparent Firewall. (hence transparent mode)

layer3
IPS Gateway 1.1.1.1 <> NS 1.1.1.2/NS 192.168.1.1 <> servers/computers 192.168.1.2-254)
IN this case all traffic from anything on the right (comps/servers) would use the default gateway of the NS and be routed to/from the internet.
coming from the outside. the netscreen would have basically a listing of all 5 of the public IP's, keeping 1 public for it'self. and assigns the other 4 IP's directly to one of the internal servers, or maps the public IP's and which port is being used, to the correct server..


Using MIP. (mapped IP) any connection to 1.1.1.3 would be sent to server 192.168.1.3 for example.

Using VIP. anything connecting to port 80 on IP 1.1.1.3 would be sent ot 192.x.x.3 any port 22 sent to 1..1.1.3 would be sent to server 192.x.x.4, any thing sent to port 25 at 1.1.1.3 would be sent to server 192.x.x.5 etc, you can send the ports anywhere you want. if you have 2 internal servers using the same port then you would use a secondary external address. etc etc etc

Junipers website has reall good info for you.
this help?
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month20 days, left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question