The first thing that I will say, and this can't be stressed enough, do not
run a firewall on the same box as a web server! Web, email, and application
servers have always been problematic with regards to security. Their very
nature is to share files, the exact opposite of what you want from a
firewall. By building your firewall on top of these other services you
immediately undermine the integrity of the tool that is meant to be your
protection against attack. One of the most devastating network/host
intrusions is the rooting of a firewall. Administrators often trust these
boxes implicitly, which is not a good practice. Many networks are built with
a single firewall on the outside perimeter to the Internet. The internal
network is typically left wide-open, with the belief that the almighty
firewall is holding off the marauding hordes. So, if the firewall is hacked,
your whole organization is more likely to be at risk. With all of your core
services running on one box it makes it much easier to mount a DoS attack
against or find another vulnerability. There are many more issues involved,
an email is too short a space.
As for performance, I think you'd be killing the server. I don't know your
current or expected loads for each service but, if you decide to continue
down this route I'd really recommend having the full range of services load
tested. You will need to be aware of the space requirements for all of the
various log files that these services generate. Backups may be problematic
with so many files open by users and processes. One application may require
specific backup software that conflicts with something else. There are
specific versions of anti-virus software for Exchange and some other
products. Will these products also protect your web server files? Firewalls
are very CPU intensive, and if you are logging many attributes, very disk
intensive also. Keep in mind that the firewall is a single point of entry
and exit. Therefore, any network traffic passing through it will incur a bit
of latency while the firewall inspects each packet and applies rules to it.
The computer will also be busy sending and receiving emails, dynamically
running anti-virus software, processing CFML/ASP/JSP/etc. and their
associated components, doing base level OS stuff, etc., etc. etc.., all the
while client and server connections are timing out or users are experiencing
choppy performance. This leads to packet retransmission, which creates a lot
more packets, which seriously degrades your network efficiency, all of which
lead to more load on an already swamped server. Then, crash! No firewall, no
proxy, no email, no web server, no nothing.
In other words, do not run a firewall on the same box as a web server! ;)
Regards,
Steve
-----Original Message-----
From: Scott Brader [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 02, 2001 10:01 AM
To: CF-Talk
Subject: OT: IIS and ISA on same server
I'm sorry for the OT question, but I figured someone here may be able to
help me.
I just put in a Windows 2000 Server. I need it to serve as my webserver,
email server and proxy/firewall. I installed IIS 5.0 without a problem,
however, when I installed ISA, the server is no longer available to the
outside world. What do I need to do to make it work? I thought about going
with WinGate, but every time my workstations boot up and log in the Server
restarts.
I'm looking for recommendations. I'm not above spending some money to get
different software, if that's what's required, but I don't know where to go.
Thanks,
Scott
Scott Brader
Prairie Software Development LLC
101 East Sadd Street
PO Box 235
North Prairie, WI 53153-0235
Phone: 262.392.9173
Fax: 262.392.9174
Toll Free: 888.821.3427
Mobile: 262.490.1376
Amateurs practice until they get it right,
Experts practice until they can't get it wrong.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
