RE:RE: Pros and against using Multiple firewalls in a network running on Win2k Advanced server.(repost.. Previous post was missing the subject line)

From: Jorge Roxo (j.roxo@sotagus.pt)
Date: 09/27/01 

From: "Jorge Roxo" <j.roxo@sotagus.pt>
To: <focus-ms@securityfocus.com>
Subject: RE:RE: Pros and against using Multiple firewalls in a network running on Win2k Advanced server.(repost.. Previous post was missing the subject line)
Date: Thu, 27 Sep 2001 09:14:28 +0100
Message-ID: <000001c1472c$6de67f00$8e7e12ac@tcsa.sotagus.pt>

-----Mensagem original-----
De: Patrick Andry
Cc: focus-ms@securityfocus.com
Assunto: Re: Pros and against using Multiple firewalls in a network
running on Win2k Advanced server.(repost.. Previous post was missing the
subject line)
<snip>
>>A strong firewall to the outside and a high end switch capable of
vlans
should give you sufficient protection. This is of course assuming you
are running a natted connection to the internet with only one IP
address. The VLAN would allow you to separate the traffic between
groups of computers, and should not affect server or lan performance,
but rather improve it. Logging capability on the firewall and a
mirrored port on the switch would be huge reccomendations.
<snip>

Yes, we run with only IP to the proxy server (NAT), but Im unaware if we
have a VLAN, how could this be found out?, Router?, Server setup?.

>>The largest problem you would have with virus spread would be contact
lists in Outlook or Outlook Express. Stress to the users how important
it is to not use these. Also use antivirus on every machine. I prefer
NAV, but the choice is ultimately yours.
<snip>

As a matter of fact we all do share a Main Contact Book which is
replicated - perhaps replicated might not be the best term to describe
it, but its more or less what happens... - to all machines in our
network with the logon script. It overwrites the previous one with the
latest edition of the Company's internal address book, but users also
have their own separate contact/address book installed with Outlook 2000
or 2002. We have tried to stress to people they should use their desk
agendas, not the Contacts/Adress book that ships with outlook, but they
allways ignore this.. Which of course its the ever present problem of
dealing with I.U ( Idiotic Users for those that didnt know.. ( hardly
likely that you didn't... )). As to AV we run Panda Platinum and Panda
Titanium has also been purchsed to substitute the Panda Lite versions
for the slower desktops, but all machines have AV installed and daily
updated. So far Panda has worked awesome por us... ( well, with the
exception of W32/Sircam which still pops up every now and then in one
or another machine ( I'll be damned if I can figure where it keeps
coming from... )).

>>The final step would lie with the proxy server. What are you using
for
a proxy? If you are using squid, I suggest an add-on program called
Dans Guardian. This program will filter internet content, block
specified mime types and files based on extension. It is fairly easy to

set up, can be as restrictive as you want it to be, and with the proper
configuration, you can have a really nice proxy setup.
<snip>

Yes, we are using Squid 2.4 as our proxy though Im rather worried
something might be wrong with it. Are any of you aware of any bugs with
Squid 2.4 and AMD Athlon?, or between AMD Athlon and Red Hat Linux 6.1?,
or any conflicts perhaps?.

Where can I get Dans Guardian from? Shop?, CD?, Inet?, because I had not
heard of it b4. Btw are there any good manuals on that program so as to
make the configs?.

Thnxs for all your help people =).

Jorge Roxo,
TCSA/Sotagus Computer Systems Administrator.