Firewall Protection for New MS Small Biz 2003 Server

Greetings all,

I'm a total newbie at MS Small Biz Server.  I know enough about networking to be dangerous to myself and those around me.

The MS instructions seem to be incomprehensible murk.

Many questions:  What is the best (most secure) way to hook our new server up the the Internet?  Right now, it's behind a Symantec Security Appliance.  The serever has 2 NICs.  We want to host our own SSL extranet, as well as have ftp, mail, & etc.

Hardware firewall a good idea?  If yes, then which one?  Will the Symantec work?  Or would a Cisco PIX or NetScreen 5GT (or something else) be better?

We have purchased 5 fixed IPs.  A regular website would use one of the IPs.  The SSL extranet uses another.  How do you do the routing so that a user can get through to the correct IP?

Thanks in advance,

/RO/
raortmanAsked:
Who is Participating?
 
jabiiiCommented:
Well there are obviously alot of possible configurations you could use, using netscreen or not.

lets say you are using netscreen
you can use layer 3 solution or layer2

in layer 2 solution your servers would all have their public IP's and the FW/VPN would have 1 of the IP addresses, and would be like this...
ISP gateway 1.1.1.1 <> NS 1.1.1.2 <> Servers 1.1.1.3-6
All traffic to and from the servers would be going through the Netscreen, but not being routed by it, only acting as a transparent Firewall. (hence transparent mode)

layer3
IPS Gateway 1.1.1.1 <> NS 1.1.1.2/NS 192.168.1.1 <> servers/computers 192.168.1.2-254)
IN this case all traffic from anything on the right (comps/servers) would use the default gateway of the NS and be routed to/from the internet.
coming from the outside. the netscreen would have basically a listing of all 5 of the public IP's, keeping 1 public for it'self. and assigns the other 4 IP's directly to one of the internal servers, or maps the public IP's and which port is being used, to the correct server..


Using MIP. (mapped IP) any connection to 1.1.1.3 would be sent to server 192.168.1.3 for example.

Using VIP. anything connecting to port 80 on IP 1.1.1.3 would be sent ot 192.x.x.3 any port 22 sent to 1..1.1.3 would be sent to server 192.x.x.4, any thing sent to port 25 at 1.1.1.3 would be sent to server 192.x.x.5 etc, you can send the ports anywhere you want. if you have 2 internal servers using the same port then you would use a secondary external address. etc etc etc

Junipers website has reall good info for you.
this help?
0
 
jabiiiCommented:
There are plenty options you need to weigh when picking a FW. Such as port forwarding, bandwith utilization and restrictions, NAT, VPN capability, ease of use, cost etc etc.
I would use Juniper NetScreen FW/VPN's. But depending on your bandwith and other needs as to which model to go with.

If your servers are on a private IP space, and you have 5 public, then you can use MIP or VIP on a Netscreen to get external people to connect.

Here is a FW' buyers guide, granted it's from  juniper so it might be slighted towards them but gives you an Idea.
https://www.juniper.net/solutions/literature/buyer_guide/710008.pdf

Refference these 2.
http://www.experts-exchange.com/Security/Firewalls/Q_21811815.html
http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21704713.html
0
 
raortmanAuthor Commented:
Hi jabiii,

Thank you for your comment and the links.  

Query:  How does the NetScreen handle the public IPs?  If I were hooking the server straight to the net, I could drop all our public IPs into its front NIC.  How do you accomplish the same goal with a router?  Sorry, I don't know the first thing about MIP or VIP...

/RO/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.