* This is the modus mailing list *
We use the Cisco IOS firewall feature set as well. It was incredibly simple
to setup. Enable ip inspection on your wan interfaces, then use an extended
ACL to open only those ports that are needed for outside client access (www,
ftp, etc).
In my opinion, this solution offers the best protection for the least amount
of network reworking (assigning private ips to your servers, etc) and
doesn't require NAT, which means employees behind the firewall work with
servers just like clients outside the firewall will (none of this "well, if
you're here, the www server is 10.10.10.10 but if your at home its
111.222.111.222").
Setup a syslog server to log to SQL and you can easily create web-based
reports on YOUR terms, rather than what the firewall software THINKS you
want to see.
To date, I haven't heard an argument to make me look at anything else.
Brad Johnson
Systems Administrator
Local Link Network Operations
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Jeff Willis - MIS
Sent: Sunday, February 08, 2004 11:05 AM
To: [EMAIL PROTECTED]
Subject: [Modus] Firewall and Security
* This is the modus mailing list *
We use the Cisco IOS firewall feature set in our Cisco routers
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/iofwft/index.shtml
This allows to open only the ports that are necessary for operation. As a
web hosting company with over 800 servers, firewall protect is a absolute
must. We are using 10 Cisco routers in various configurations
We actually restrict access to certain ports for each server.
i.e. a web server will only have open ftp, www, https for inbound
connections
A suggestion for sql server - since we rent dedicated sql servers, we use an
alternate port (1443 is always closed in the firewall) and restrict that
port to only allow the client IP address to access.
The IOS feature set also has http. ftp, etc dynamic ACL's. This resolves teh
FTP problem with just using extended ACL's
This has worked great for us and we have never been attacked, but have
blocked many attacks
The basic rule is close EVERYTHING unless it is needed
Jeff
----- Original Message -----
From: "Cary Fitch" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, February 08, 2004 08:28
Subject: [Modus] Firewall and Security
* This is the modus mailing list *
One of the things we are about to do is move our SQL Server to a private
address.
Since the only machines that need to talk to it are: Mail Server, Radius
Server(s), Web Server (Rodopi), that are on our network, it should be able
to be on private (non publicly routeable) addresses, and visable only to our
own net, thus protecting it from much "ill will".
Those machines will have public and private addresses, but the SQL Server
would have only a private address.
Other firewalling is also in progress.
Cary Fitch
Attend Peering Conference for ISP's,
April 23-24, 2004, Dallas Texas
Full info: http://www.peercon.org
----- Original Message -----
From: "Globalnet" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, February 08, 2004 10:16 AM
Subject: [Modus] Firewall and Security
> * This is the modus mailing list *
>
> We are looking for some info as in regards to security.
>
> We have been approached by a security advisor that recommends we place our
> network behind a hardware firewall such as the Sonicwall Pro 230
>
>
> Our concerns is how does this effect the network, etc in the since as one
> whom is a ISP, which all the various servers, network issues, etc,
> Bandwidth? Just about every aspect?
>
> Basically here we are in the blind, we want to secure all of our servers,
> Especially our sql nt machine running rodopi, mail server, running
> Modusmail, and Web servers, and FTP Servers, and Radius Servers
>
> Is hardware the best to go or what does one recommend in this issue?
>
> Any insight here would be appreciated.
>
>
> **
> To unsubscribe, send an Email to: [EMAIL PROTECTED]
> with the word "UNSUBSCRIBE" in the body or subject line.
**
To unsubscribe, send an Email to: [EMAIL PROTECTED]
with the word "UNSUBSCRIBE" in the body or subject line.
**
To unsubscribe, send an Email to: [EMAIL PROTECTED]
with the word "UNSUBSCRIBE" in the body or subject line.
**
To unsubscribe, send an Email to: [EMAIL PROTECTED]
with the word "UNSUBSCRIBE" in the body or subject line.
