* This is the modus mailing list * Any ISP absolutely needs a firewall and I would say it is recommended that it be hardware based firewall and should include IDS detection and prevention. We use Netscreen Firewalls on our network, over the past few years they have proven to be one of the best firewalls produced by any vendor achieving near full line speed when doing VPN encryption. The Netscreen firewalls are stateful inspection firewalls that use policy based management. http://www.netscreen.com/products/firewall/security/stateful_inspection. jsp
All of our servers are on private address space and only the servers that need to be seen on the internet have a mapped IP, which maps a public IP to a private IP, even then the server cannot be accessed from the internet unless I create a policy explicitly allowing traffic from one destination to another, this works for both in traffic and out traffic. So for example from our web servers I allow http, ftp, ssl to and from the internet but no other ports, the Netscreen also has extensive logging so you can log traffic, attacks, and general use of your network. I like this solution better than a Cisco solution because it is separate, this essentially gives you two layers of security, on our Cisco routers we use ACL's to limit the traffic we want to what server, then we filter this traffic again at the Netscreen level, to date we have never had a problem with an attack. The Netscreen's also allow you to set alarm levels which can page you or notify you when traffic gets above a certain point or a certain number of requests come in that should not be...another cool feature is traffic shaping, on our Netscreen's we set traffic priority levels so for example I guarantee our mail server a certain amount of bandwidth and set that traffic to high priority thus ensuring should we some how peg our line usage the services that are the highest priority will still have bandwidth....this also works well for collocation as you can split off bandwidth that customers pay for, if they want 256KB, just slice it off using the Netscreen. Lastly the Netscreen is a wonderful VPN product, we host several SQL servers and Exchange boxes, in this config I typically setup a VPN for the connection then create a policy allowing only the traffic I want over the VPN. Lastly the Netscreen learning curve is not bad, very straight forward easy to manage product. Jerod -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Globalnet Sent: Sunday, February 08, 2004 8:17 AM To: [EMAIL PROTECTED] Subject: [Modus] Firewall and Security * This is the modus mailing list * We are looking for some info as in regards to security. We have been approached by a security advisor that recommends we place our network behind a hardware firewall such as the Sonicwall Pro 230 Our concerns is how does this effect the network, etc in the since as one whom is a ISP, which all the various servers, network issues, etc, Bandwidth? Just about every aspect? Basically here we are in the blind, we want to secure all of our servers, Especially our sql nt machine running rodopi, mail server, running Modusmail, and Web servers, and FTP Servers, and Radius Servers Is hardware the best to go or what does one recommend in this issue? Any insight here would be appreciated. ** To unsubscribe, send an Email to: [EMAIL PROTECTED] with the word "UNSUBSCRIBE" in the body or subject line. ** To unsubscribe, send an Email to: [EMAIL PROTECTED] with the word "UNSUBSCRIBE" in the body or subject line.
