Thanks Steve. I'm quite comfortable installing NICS and working with
multiple NICs in a single computer. I'm not sure that's the route I
ultimately want to take either, though. I'm leaning now toward putting a
3Com OfficeConnect Internet Firewall DMZ in. The DMZ port allows me to make
my web/email server accessible from the outside world while protecting my
internal computers. The firewall runs about $1,200 on the street, which
makes it quite a bit cheaper than buying the full ISA license that I had
originally been planning on anyway.
Scott
Scott Brader
Prairie Software Development LLC
101 East Sadd Street
PO Box 235
North Prairie, WI 53153-0235
Phone: 262.392.9173
Fax: 262.392.9174
Toll Free: 888.821.3427
Mobile: 262.490.1376
Amateurs practice until they get it right,
Experts practice until they can't get it wrong.
-----Original Message-----
From: Steve Bernard [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 02, 2001 12:29 PM
To: Scott Brader
Cc: [EMAIL PROTECTED]
Subject: RE: IIS and ISA on same server
That's a tough question. My first response would be that you should let
someone with a little more security experience help you, or do it for you.
The reason being, your one man company, to a large degree, relies on the
stability and availability of the services that you provide. Adding to the
complexity, each one of the services that you mentioned also have their own
unique security requirements.
If you are going to do it alone for now, you may be best served by starting
with a caching proxy server that supports Network Address Translation (NAT).
The market leaders in this field also provide a decent firewall component.
It's not the same as running Firewall-1/Raptor/Gauntlet/etc. but, it should
serve you nicely without overwhelming you. This will also allow you to use a
private non-routable address space, like 192.168.0.0, to mask your backend
machines, while providing a transparent mapping of services to internal IP
and caching content to accelerate access to web content. Both of the
following products are very good and should do everything that you
mentioned. I still strongly recommend that, if you use such a product, you
install it on a separate computer. Pay attention to the hardware
requirements too. For instance, most people aren't used to having to install
two network cards on one computer.
WinRoute Pro: http://www.tinysoftware.com/winpro.php
WinProxy: http://www.ositis.com/english/home/hm_smbs_home_en.asp
As an added piece of advice, be careful if/when posting questions about
security problems or detailing your security infrastructure. Security
help/faq newsgroups and listservs are often perused by people looking for
easy targets or who are casing a particular company/site. Be sure to mask
real passwords, ports, IP addresses, etc. if you ever post details of your
infrastructure. In moments of pressure caused by a non-working application
it's easy to forget about security and post questions like, "My shopping
cart security isn't working and people can get stuff for free! How can I
stop this?" (signed [EMAIL PROTECTED]) Any nefarious sort, and some
idly curious, will quickly go to "www.my_e_company.com/" and order all your
inventory for free! This sort of thing happens more often than you'd think.
Good luck, I hope this helps,
Steve
-----Original Message-----
From: Scott Brader [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 02, 2001 11:15 AM
To: [EMAIL PROTECTED]
Subject: RE: IIS and ISA on same server
Steve,
Thanks for your response. At this point, the company is just me, so the load
is really not going to be too high. I appreciate your input on separating
the firewall functionality out, though. Do you have any recommendations of a
SOHO firewall solution that would allow me to run my own mail/web server
inside and allow me to access the Internet. I'm sorry to sound so ignorant,
but I'm a developer not a networking expert. I appreciate any insight you
can provide.
Thanks,
Scott
Scott Brader
Prairie Software Development LLC
101 East Sadd Street
PO Box 235
North Prairie, WI 53153-0235
Phone: 262.392.9173
Fax: 262.392.9174
Toll Free: 888.821.3427
Mobile: 262.490.1376
Amateurs practice until they get it right,
Experts practice until they can't get it wrong.
-----Original Message-----
From: Steve Bernard [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 02, 2001 9:57 AM
To: CF-Talk
Subject: RE: IIS and ISA on same server
The first thing that I will say, and this can't be stressed enough, do not
run a firewall on the same box as a web server! Web, email, and application
servers have always been problematic with regards to security. Their very
nature is to share files, the exact opposite of what you want from a
firewall. By building your firewall on top of these other services you
immediately undermine the integrity of the tool that is meant to be your
protection against attack. One of the most devastating network/host
intrusions is the rooting of a firewall. Administrators often trust these
boxes implicitly, which is not a good practice. Many networks are built with
a single firewall on the outside perimeter to the Internet. The internal
network is typically left wide-open, with the belief that the almighty
firewall is holding off the marauding hordes. So, if the firewall is hacked,
your whole organization is more likely to be at risk. With all of your core
services running on one box it makes it much easier to mount a DoS attack
against or find another vulnerability. There are many more issues involved,
an email is too short a space.
As for performance, I think you'd be killing the server. I don't know your
current or expected loads for each service but, if you decide to continue
down this route I'd really recommend having the full range of services load
tested. You will need to be aware of the space requirements for all of the
various log files that these services generate. Backups may be problematic
with so many files open by users and processes. One application may require
specific backup software that conflicts with something else. There are
specific versions of anti-virus software for Exchange and some other
products. Will these products also protect your web server files? Firewalls
are very CPU intensive, and if you are logging many attributes, very disk
intensive also. Keep in mind that the firewall is a single point of entry
and exit. Therefore, any network traffic passing through it will incur a bit
of latency while the firewall inspects each packet and applies rules to it.
The computer will also be busy sending and receiving emails, dynamically
running anti-virus software, processing CFML/ASP/JSP/etc. and their
associated components, doing base level OS stuff, etc., etc. etc.., all the
while client and server connections are timing out or users are experiencing
choppy performance. This leads to packet retransmission, which creates a lot
more packets, which seriously degrades your network efficiency, all of which
lead to more load on an already swamped server. Then, crash! No firewall, no
proxy, no email, no web server, no nothing.
In other words, do not run a firewall on the same box as a web server! ;)
Regards,
Steve
-----Original Message-----
From: Scott Brader [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 02, 2001 10:01 AM
To: CF-Talk
Subject: OT: IIS and ISA on same server
I'm sorry for the OT question, but I figured someone here may be able to
help me.
I just put in a Windows 2000 Server. I need it to serve as my webserver,
email server and proxy/firewall. I installed IIS 5.0 without a problem,
however, when I installed ISA, the server is no longer available to the
outside world. What do I need to do to make it work? I thought about going
with WinGate, but every time my workstations boot up and log in the Server
restarts.
I'm looking for recommendations. I'm not above spending some money to get
different software, if that's what's required, but I don't know where to go.
Thanks,
Scott
Scott Brader
Prairie Software Development LLC
101 East Sadd Street
PO Box 235
North Prairie, WI 53153-0235
Phone: 262.392.9173
Fax: 262.392.9174
Toll Free: 888.821.3427
Mobile: 262.490.1376
Amateurs practice until they get it right,
Experts practice until they can't get it wrong.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
