big_daddy_pimp
asked on
Best way to setup a secure SBS2003 network
I wish to find out the most secure way to setup a windows SBS 2003 network which obviously will be running exchange, Do I need a DMZ i will be running an FTP Server.
This is what i have.
1 X SBS 2003 Server Exchange,AD, RAS
1 X Netbox Blue Firewall
1 X Windows 2003 Server (File Server)
20 x Workstations all running XP
3 X HP Printers Print Server?
1 X FTP Server
1 X Wireless access Point for internal Domain users.
1 X wireless access point with only access to internet nothing else for visitors
I have always setup my server and file server and workstations on the same IP range 192.168.0.0 ?
is this incorrect ? and forwaded the ports is there a more secure way to setup a network any input is greatly appreciated.
Big_Daddy
This is what i have.
1 X SBS 2003 Server Exchange,AD, RAS
1 X Netbox Blue Firewall
1 X Windows 2003 Server (File Server)
20 x Workstations all running XP
3 X HP Printers Print Server?
1 X FTP Server
1 X Wireless access Point for internal Domain users.
1 X wireless access point with only access to internet nothing else for visitors
I have always setup my server and file server and workstations on the same IP range 192.168.0.0 ?
is this incorrect ? and forwaded the ports is there a more secure way to setup a network any input is greatly appreciated.
Big_Daddy
ASKER
is it that simple i am unsure, i have people telling me my network is unsecure and I should be running a DMZ for my mail server etc.
Big_Daddy
Big_Daddy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here's a scenario where you might use a DMZ: http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
Oops, you'll need to copy and paste that address, the (computing) wasn't hyperlinked for some reason.
Perhaps this will work instead? http://en.wikipedia.org/wiki/Demilitarized_zone_%28computing%29
Perhaps this will work instead? http://en.wikipedia.org/wiki/Demilitarized_zone_%28computing%29
Tigermatt, I would like to correct you on one thing. And I don't want points for it ;-)
Setting up a DMZ does not mean that that server is accessible through every and any port.
A decent firewall allows exactly the same filtering from the internet to the DMZ as is does from the internet to the internal network.
Only some cheapo firewalls have what they call a DMZ which is just a full forward to a certain internal address. This really is not a DMZ.
The reason for a DMZ is for putting machines with public services, and seperate those from your internal network. So when those get cracked there is a another firewall hurdle (DMZ->internal) which protects your internal network.
A DMZ is usually used to host services which need to be accesible from internal and external.
Or to host a proxy.
And it is indeed not the place to put a SBS.
J.
Setting up a DMZ does not mean that that server is accessible through every and any port.
A decent firewall allows exactly the same filtering from the internet to the DMZ as is does from the internet to the internal network.
Only some cheapo firewalls have what they call a DMZ which is just a full forward to a certain internal address. This really is not a DMZ.
The reason for a DMZ is for putting machines with public services, and seperate those from your internal network. So when those get cracked there is a another firewall hurdle (DMZ->internal) which protects your internal network.
A DMZ is usually used to host services which need to be accesible from internal and external.
Or to host a proxy.
And it is indeed not the place to put a SBS.
J.
The setup you have used is fine coz you can use the Firewall to NAT the public IP from the private IP (1st type of firewall) and then forward the relevant ports to the server (e.g. if you server is 192.168.0.2, forward port 25 - SMTP to receive emails) rather than DMZ the server. And don't open port 80, just 443!
Kind regards,