Re: VPN Firewall for new webserver

From: Leythos (void_at_nowhere.org)
Date: 11/09/04 

Date: Tue, 09 Nov 2004 12:09:07 GMT

In article <b09a4106.0411082017.40358c77@posting.google.com>,
nbaxley@gmail.com says...
> I'm setting up a webserver at a colocation and I need to put a VPN
> firewall in front of it. I'm on a fairly tight budget and I have
> about $100 - $500 to spend on the firewall.

You're not going to get a quality firewall for that amount, at least not
a new-in box one. You can get close, and D-Link makes a DI-804HV unit
that has features you can use, including the ability to remotely PPTP
into the D-Link and access the LAN side without running a VPN setup on
your computers.

> I need to allow the web
> traffic in of course, also FTP and SQL Server access, so port
> forwarding will be needed. Initially I'll only have one machine
> behind it but I may add another box later.

The PPTP to the D-Link would make this easy - can access the entire LAN
once you connect.

One thing - DO NOT EXPOSE MS SQL PORTS TO THE NET, DO NOT EXPOSE 1433,
1434 to the internet under any circumstances. If you require those ports
to be exposed you designed a bad solution. If you want to give remote
users access to the SQL server, let them do it through a VPN session.

Also, don't allow FTP via an anonymous user, you're server will be
hacked sooner than you think. Take a look at FileZilla for FTP server
software, I use it on many servers and it's very stable.
 
> Does anyone have any suggestions on firewalls? I've looked at the
> BEFSX41 which looks like it would work for me but I'm not sure about
> liability. I've also seen good reviews on the Daytek Vigor 2900 but
> the review was several months old and it said to wait fro new updates.

The units in your price range are almost always just NAT boxes and don't
offer real firewall features. The DI-804HV unit, is the same as the NAT
boxes, but allows you to setup a PPTP inbound connection directly to the
D-Link, and the PPTP pass-through config (for inbound, I'm not talking
about outbound sessions) also works (the Linksys units don't seem to
pass GRE back to the remote user since CISCO started branding the
firmware). I have the BEFSX41, it's a nice unit, but it's just a
glorified NAT Router. Get the D-Link DI804HV if you are going to go
cheap.

> Finally I've seen really good reviews on the Sonicwall TZ 170, but
> I'm having a heck of a time trying to tell if I'm buying hardware or a
> software license.
>
> Can someone point me in the right direction on this?

Both Sonic and WatchGuard make SOHO Firewall units in your price range,
but they are often licenses per IP (on the LAN side) that is connected
to them. As an example, a WatchGuard SOHO 6 or SOHO 6tc can protect your
systems for under $500, but they are small units and limited (without
additional license cost) to 10 IP on the LAN segment. They do offer
Mobile User VPN connections for an additional license fee, but the 6TC
will allow you to build dedicated IPSec tunnels between locations -
meaning you could setup the SOHO6tc for the server farm, and then buy a
Linksys BEFVP41 unit and create a dedicated IPSec tunnel between your
home and the server network.

The only reliable, cheap, VPN device I've found, that also acts as an
END-POINT, is the DI-804HV unit from D-Link. 

-- 
-- 
spamfree999@rrohio.com
(Remove 999 to reply to me)

Relevant Pages

  • Re: More on Remote Desktop
    ... Chances are good, though, that he's already got VPN capabilities on his ... firewall to do it for $100. ... > server at home...or purchase additional/new hardware... ... >> my firewall makes the PPPoE connection to my ADSL ISP. ...
    (microsoft.public.windowsxp.network_web)
  • Re: More on Remote Desktop
    ... You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link... ... Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or ... > firewall to get between your clients and server on your own LAN. ... > setup so that my firewall makes the PPPoE connection to my ADSL ISP. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Cant logon to computer in SBS Domain..
    ... Does the user can access and log on to the Remote Web Workplace? ... Whether you can connect and log on to the server desktop through RWW? ... On the Firewall page, ensure that Enable firewall is selected. ... About External Firewall VPN ...
    (microsoft.public.windows.server.sbs)
  • Re: Setting up SBS 2000 w/SonicWall Firewall VPN, Need help.
    ... what I'm tyring to do is simply get our VPN to work. ... installed the sonicwall client software on ... pipe from my home to the firewall. ... how to I access the server so I can send/retrieve data? ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: xp sp2 an 2003er domäne
    ... >Der Angreifer ist nicht nur eingedrungen, ... >> Also du schlägst vor dass ich da ne Firewall vor klemm. ... bzw. dann heisst die Lösung VPN. ... >stehen können frei mit dem Server kommunizieren. ...
    (microsoft.public.de.german.windows.server.networking)