Re: Hardware vs software firewall

From: Leythos (void_at_nowhere.com)
Date: 02/16/04 

Date: Mon, 16 Feb 2004 13:33:17 GMT

In article <68838fa1.0402152145.160a3f66@posting.google.com>,
mapexvenus2002@yahoo.com says...
> Hi,
>
> I know that this question has probably been asked to death but I didnt
> find a lot of information online, hence the question again.
>
> This is our situation.
>
> * We are a company with about 15 PC's and using a T1 line to access
> the internet
>
> * We use Exchange 2000 for our mail system - our server will be behind
> our firewall once installed
>
> * We were advised by the person setting up our external connectivity
> to use a the Linksys Instant Broadband EtherFast Cable/DSL Firewall
> Router - Router - between our network and the T1 line. He felt that
> this is a much better option compared to using a software firewall
> like ISA (for example)

The person giving the advice is going to get you hacked. The key to this
is the exchange server, it needs to be behind a firewall APPLIANCE that
can also filter SMTP. The Linksys was a good start, it is not acceptable
to use a Software firewall on an E2K box in my opinion, but the router
is not enough.

A typical setting for a small office is where they don't have their own
separate web server, but where they also run a web site off of the
exchange server and also use Outlook Web Access (web based email) off
the SSL port on the same server. In this case you want the E2K box
sitting in the DMZ and the rest of the computers in the LAN (both are
separate ports behind the firewall). With this setting you can isolate
the E2K box enough that running a small web site, and email, and OWA off
the same box can be configured to not get you hacked.

A WatchGuard 700 will support your office and provides a SMTP Proxy that
will allow you to limit size of emails, and will remove specific content
based on the extension of the attachment - this has saved more customers
that I could shake a stick at.

> * I need to know if this is right or if we've screwed up. We havent
> gone 'live' yet so we can still change things if we have to. Worst
> case scenario would be to use both the gardware and software firewall.

One other thing, purchase Symantec Small Business Edition 8.1 with
Exchange Filter for the server and each workstation/client. SBE 8.1 with
EF will also scan your email (and runs on the same server) and can even
process spam / RBL rules. 

-- 
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Relevant Pages

  • RE: FW: Exchange Server and External Access
    ... Why not vpn to your network through the linux firewall. ... Currently what i have set up is a Linux server ... connections to the exchange server. ... internet connection. ...
    (Security-Basics)
  • Re: CEICW fails at firewall config
    ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: NT 4 server firewall?
    ... But the firewall doesn't protect you from this. ... >> available for securing said server. ... A software firewall on a SQL server would NOT in any ...
    (comp.security.firewalls)
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    (microsoft.public.inetserver.iis.security)
  • Re: ISA SERVER NOT STARTING
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)