Just as a backing for SiftX. We have used Sonicwall for 4 years now and I will say it is easy to set up and great to use.
The only issue I would see for an ISP is access for users who use VPN. A firewall will could cut out a VPN connection because the ports may not be open. If you have a cluster of servers and can separate out "access" servers and your "Private" servers, you could use 2 firewalls. One in the front of your service with looser rules and another to protect more sensitive information that is more locked down.
Good luck.
Andrew Poole
-----Original Message-----
From: SiftX Support [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 09, 2004 4:13 AM
To: [EMAIL PROTECTED]
Subject: [Modus] FW: [Rodopi] Firewall and Security
* This is the modus mailing list *
A reseller and you didn't tell him about the enhanced sonic os...shame on
you!
Thank you,
SiftX Support
866-891-0086
808-874-8916 Fax
www.siftx.com
----- Original Message -----
From: "Suneel Jhangiani" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, February 08, 2004 4:49 PM
Subject: [Modus] FW: [Rodopi] Firewall and Security
* This is the modus mailing list *
Forwarded here as I answered the original post on another list.
---
Every day I get up and look through the Forbes list of the
richest people. If I'm not there, I go to work.
(--------------------------------) {((((((
( Suneel Jhangiani ) /_ _ )
( Technical Director ) ( . . )
( Inter-Computer Technology Ltd. ) ( / )
(----------------------------------oOOo------------oOOo----)
( 40 James Street Tel: +44 (0) 20 7486 9601 )
( London W1U 1EU Fax: +44 (0) 7050 678 978 )
( United Kingdom Email: [EMAIL PROTECTED] )
( Website: http://www.inctech.com )
(----------------------------------------------------------)
-----Original Message-----
From: Suneel Jhangiani [mailto:[EMAIL PROTECTED]]
Sent: 09 February 2004 02:21
To: [EMAIL PROTECTED]
Subject: [Rodopi] Firewall and Security
Hi,
It is highly recommended to secure your network behind a dedicated
firewall, however there some pitfalls to watch out for.
Firstly, all your publicly accessible servers should be placed in what
is commonly called a DMZ (De-Militarized Zone). Your internal network
(including your billing system) should be placed behind a Bastion. Most
firewalls now allow for the two segments from the same system and the
ports are typically labelled WAN, DMZ and LAN.
When configuring security your firewall by default should block access
to all ports on all segments. You should then enable the ports you
require for the systems you require.
Another consideration when choosing a firewall is the bandwidth that
will be transferred through. This is important as a firewall should
inspect each packet and hence would need adequate processing power.
I would imagine that a SonicWall Pro 230 would be suitable for your
current requirements as I doubt you are consuming large amounts of
bandwidth (greater than 100Mbps). I would also recommend the SonicWall
products as we have used them and are still currently resellers. The web
based management interface is a breeze to use, although access to
certain advanced functionality is hidden on a single Web Page only
accessible by keying in the full URL.
One issue to be aware off is how your servers communicate with your
billing system. This is critical as currently you use VOP Radius
(gathered this from another post) and Modus Mail. Both these products
connect directly to your SQL Server via ODBC and Stored Procedures which
would require you to allow access from these systems. However, if these
systems are ever compromised than an attacker would also have access to
your billing database. A work around this is to have a second SQL Server
sitting on the DMZ and propagate the authentication information required
from the billing server database to this other server. This way an
attacker gaining access to your Radius or Mail server would only have
access to the authentication data and not the credit card / accounting
information. You could also secure a single SQL Server with multiple
logins, but this does mean you need to prevalent with patching your
servers to ensure that an intruder cannot gain higher permissions
through un-patched exploits.
As you appear to be mostly a Windows Shop I would highly recommend a
hardware based solution, however if you have *nix experience in-house
and some knowledgeable networking guys you could opt to build your own.
A home grown solution can offer better protection but requires constant
maintenance and the developers need a high degree of skill. A hardware
solution is more prone to exploits as a hacker who makes it through one
can publicize this and hence all become potential targets; that being
said most manufacturers are very quick at releasing patches.
In closing, what many people do not mention is the need for IDS
(Intrusion Detection Systems). Whilst it is most certainly a requirement
to secure your network with a firewall, it is not so obvious to have in
place an IDS. They key role for an IDS is to highlight any
vulnerabilities and redirect intruders to a sandbox.
---
A pessimist counting his blessings: 10 ... 9 ... 8 ... 7 ...
(--------------------------------) {((((((
( Suneel Jhangiani ) /_ _ )
( Technical Director ) ( . . )
( Inter-Computer Technology Ltd. ) ( / )
(----------------------------------oOOo------------oOOo----)
( 40 James Street Tel: +44 (0) 20 7486 9601 )
( London W1U 1EU Fax: +44 (0) 7050 678 978 )
( United Kingdom Email: [EMAIL PROTECTED] )
( Website: http://www.inctech.com )
(----------------------------------------------------------)
-----Original Message-----
From: Globalnet [mailto:[EMAIL PROTECTED]]
Sent: 08 February 2004 16:18
To: [EMAIL PROTECTED]
Subject: [Rodopi] Firewall and Security
We are looking for some info as in regards to security.
We have been approached by a security advisor that recommends we place
our
network behind a hardware firewall such as the Sonicwall Pro 230
Our concerns is how does this effect the network, etc in the since as
one
whom is a ISP, which all the various servers, network issues, etc,
Bandwidth? Just about every aspect?
Basically here we are in the blind, we want to secure all of our
servers,
Especially our sql nt machine running rodopi, mail server, running
Modusmail, and Web servers, and FTP Servers, and Radius Servers
Is hardware the best to go or what does one recommend in this issue?
Any insight here would be appreciated.
---------------------
To Leave the Rodopi mail list send a message to
[EMAIL PROTECTED]
with the word LEAVE as the message body.
Please also visit the Rodopi FAQ at http://www.rodopi-faq.com
---------------------
---------------------
To Leave the Rodopi mail list send a message to
[EMAIL PROTECTED]
with the word LEAVE as the message body.
Please also visit the Rodopi FAQ at http://www.rodopi-faq.com
---------------------
**
To unsubscribe, send an Email to: [EMAIL PROTECTED]
with the word "UNSUBSCRIBE" in the body or subject line.
**
To unsubscribe, send an Email to: [EMAIL PROTECTED]
with the word "UNSUBSCRIBE" in the body or subject line.
