Proper firewall with 2003 Server?

[Kristi2k]

Right now I have an SMC 8 port Router that shares out the DSL. We have a Domain with one DC.

We need more connections (atleast 8 more), so we want to get a 16 port switch, and have the DC serve our the DSL. We would probably use RRAS to do this. But, how secure is this? We want to be able to close all ports incoming except for a few.

 

[deran]

Maybe you can consider the checkpoint firewall (Linky).
This is true hardware base firewall plus VPN. You can setup the VPN secure remote access. I have been use this alot for my clients. It is very stable and reliable and easy to use & configure. You can just connect this device with or without the router to your boardband ISP.

 

[Kristi2k]

That doesn't look like what we need. We are buying a separate 16 port switch from SMC for the internel PC's of course. But, we want to make sure that the RRAS has proper firewalling. If not, then we would like a hardware based firewall that doesn't limit the amount of connections that Checkpoint does unless you pay a lot more $. We also don't need VPN.

 

[Abzstrak]

RRAS doesn't provide any security besides NAT. And the server is flat out on the internet with a public IP (bad idea). I'd suggest a hardware firewall, cisco pix 501's are pretty cheap. If your set on installing something on that server, then use ISA, not RRAS.

also, for the switch buy something from a more reputable company like 3com or intel, they wont cost much more than the smc.

 

[Davegod75]

can't you just hook up that 16 port switch to one of the router ports and be done?

i recommend this firewall http://smoothwall.org/

 

[Abzstrak]

yes he could, just not what I'd consider a business class solution (that router)

 

[Kristi2k]

I'll look into the latest version of ISA then.

 

[Abzstrak]

no reason to be set on ISA, it is more expensive than a cisco pix, and I'd trust the pix over it.... plus it would be nice to offload the firewalling and routing tasks to something other than your server.

In case you haven't used a pix before, its pretty easy and it has a decent web interface for configuration. Another I'd recommend is a sonicwall, they VERY easy to configure and very trustworthy

 

[Kristi2k]

The hardware is expensive though. I'd like to try it out, but with ISA, we can get it pretty easily with our Agreement with MS.

 

[Abzstrak]

they're under $580 which is cheap considering the security you get... what kind of arrangement do you have with MS that will get you ISA?

 

[Kristi2k]

We have an EA.

With the Sonic Wall, it says it's limited to x amount of nodes. Does that mean that's how many ports it has? If so, can't you uplink that to a switch?

The SonicWall TZ 170 sounds impressive though.

 

[Kristi2k]

Bump

 

[Z24]

I've been looking around at routers that support automatic dialup fail-over. One that I've found is www.snapgear.com. They seem to be quite reasonably priced compared to a lot of others. I'd like to hear comments from others on them.

 

[MysticLlama]

Number of nodes is a software/license issue, once it hits the limit it just won't assign IPs and/or translate, so the rest of the machines over the limit can't get to the Internet.

If you can really get ISA for under $600, go for it, but it's fairly expensive, so unless you get really good discounts it probably won't be that cheap.

A PIX with a 50 user license is around $600, and you can upgrade it to unlimited later for a couple hundred dollars if you need to go that route.

There are definately benefits to having all of your firewalling done on a separate box. Just think about the times you have to patch the server, or something takes it down, or any other reason you'd have to reboot it, everyone loses Internet access.

May or may not be a big deal, it's something to think about though.

 

[Garion]

In my most humble opinion, you're always crusing for a bruising when you try to mix too many things onto a server. This is especially more important when one of those is security and routing. There are simply so many frequent issues with Microsoft OSes that I'd never consider running on directly exposed to the Internet if it has any critical function or data you want to keep private. The only time I'd ever consider it would be a totally locked down server with a 3rd party firewall I trust (like Checkpoint) on it to lock the rest of things down.

In all my time of doing networking, the best advice that I've ever received is to keep things simple. Don't make servers do more than they absolutely have to. Don't add additional complex components when a simple one will do. This might sound contradictory, but in this case, it would be much better to install a new hardware-based firewall like a PIX 5xx and leave your server alone. You'll get better performance, better stability and WAY better security.

If the powers-that-be are unwilling to fund $500 for a PIX, tell them the alternatives - Buy ISA server for somewhere in the same range and expose your file server to the Internet. This will mean immediately installing patches when available and the possibility of your server being DOS'ed, crashed, or worse, hacked into and your company's data penetrated. $500 sounds cheap to me. For most companies, downtime cost runs in the many thousands of dollars per hour - This is cheap insurance.

- G

 

[cmetz]

Kristi2k, admittedly, I'm showing some bias here, but every time someone shows me their "firewall" and it's running Windows, they no longer have any credibility with me. It's probably possible to build a good firewall out of a Windows system, but the odds are not in your favor, and the odds are that the kind of person who would WANT to build a Windows firewall is not the kind of person who'd get it right. Just don't do it. You'll be happier that way.

Your existing SMC router is okay. It's not industrial grade, but if you're using about eight ports right now and it basically handles your applications, it might well be about right for your scale. Just get a switch and connect the SMC router's built-in switch to the new switch, and you should be in good shape. For best performance, get one big switch to handle all the PCs and then only connect one port on the SMC's switch to that switch (don't plug other stuff into the SMC). But at your scale it might not really matter.

An entry-level PIX - a 501 or 506 - is a decent box. They've got more bugs and CLI misfeatures than I care for, especially in a trusted device. But if Cisco gives your management a warm fuzzy feeling, that might be the way to go.

Snap Gear and ZyXEL are both well regarded. SG just got bought out and that could be the end of them.

A Wal-Mart PC (the $199 model) and SmoothWall or IPCop or some other Linux/BSD based easy-to-use firewall distribution might also be a good choice.