Re: Yet another which firewall? question
From: Volker Birk (bumens_at_dingens.org)
Date: 09/15/05
- Next message: Volker Birk: "Re: Zonealarm new version"
- Previous message: google_at_pilotsupplies.com: "Re: cisco pix 515 outside ping to internal hosts"
- In reply to: Paul Welsh: "Yet another which firewall? question"
- Next in thread: Paul Welsh: "Re: Yet another which firewall? question"
- Reply: Paul Welsh: "Re: Yet another which firewall? question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 15 Sep 2005 19:23:48 +0200
Paul Welsh <pwelsh@uk2.net> wrote:
> We currently use 2 x ISA 2000 servers and the RainWall clustering
> software to connect our office to the Internet via a 2 Mb leased line.
Sincere condolences. ;-)
> On the LAN are 2 x web servers running IIS and MDaemon. The web
> servers connect to database servers running MS SQLServer. These
> database servers in turn connect to another database server to run
> certain stored procedures, so it's like this:
> Internet - ISA Servers - IIS Servers - SQL Servers - SQL Server
> The web servers run in-house developed e-commerce software that's used
> by internal and external users. There are about 150 users of the web
> site, divided equally between internal and external users.
> Users who access the IIS Servers via the Internet do so via http and
> https only. The only other potential port that needs opening up is
> smtp.
> I'm considering separating out this e-commerce traffic from web surfing
> etc by buying an ADSL connection and directing such non-business
> critical traffic through it, leaving the leased line for the web
> servers.
No problem so far (with the small exception, that you're using security
software from Microsoft of all the possible vendors.
> With two Internet connections comes the need for, potentially, two
> firewall solutions. The ISA servers provide VPN access to remote users
> and we also have SurfControl running on them. It seems that they might
> be best left to serve the ADSL line while the leased line has a
> hardware firewall attached to protect the web servers. No need for
> added extras like VPN access on the leased line firewall.
You should think about a network zone concept first. Perhaps it's a
good idea to start with the classical three zone concept.
> We don't currently have a DMZ.
Change that.
> That's because currently the web
> servers access copy documents from a file server to a temporary session
> area on the web server using a UNC connection before displaying their
> contents to the web users.
This is very ugly.
> 1. Does the idea of separating essential from non-essential Internet
> traffic make sense?
Yes.
> 2. Do you think I should use the two clustered ISA servers for the ADSL
> connection and use a hardware firewall for the leased line traffic?
No. I think, you first should start to design a zone concept, before you're
thinking about anything else.
> 3. My understanding of a DMZ is that it should contain servers that are
> accessed by the LAN and Internet. The IIS servers should clearly be in
> the DMZ. How about the SQLServer servers?
That depends.
> 4. What firewall would be suitable? It strikes me that the price of
> firewalls with DMZ rises dramatically. I also end up paying for VPN
> capabilities which I don't need.
Try to think about Free Software. It's not only free as in free speach,
but good in pricing also.
Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
- Next message: Volker Birk: "Re: Zonealarm new version"
- Previous message: google_at_pilotsupplies.com: "Re: cisco pix 515 outside ping to internal hosts"
- In reply to: Paul Welsh: "Yet another which firewall? question"
- Next in thread: Paul Welsh: "Re: Yet another which firewall? question"
- Reply: Paul Welsh: "Re: Yet another which firewall? question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
