Re: Sbs2k3 two nics
From: Chad A. Gross [SBS MVP] (chad.gross_at_laytonflower.nospam.com)
Date: 04/28/04
- Next message: Jimmy: "RE: can not access internet, need help"
- Previous message: Chris Ard [MSFT]: "RE: Accidently reset the SIDs and now Windows 2003 SBS will not load"
- In reply to: Matt Gibson: "Re: Sbs2k3 two nics"
- Next in thread: Matt Gibson: "Re: Sbs2k3 two nics"
- Reply: Matt Gibson: "Re: Sbs2k3 two nics"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 28 Apr 2004 00:21:57 -0500
Since Susan hasn't chimed in yet, I'll make her point for her . . .
You said yourself that the hardware firewall is software running on
hardware - do you patch the software on your firewall? How easy is it for
you to know whether there are patches available for your firewall, how easy
is it to determine if you need the patches that are available and how easy
is it to apply those patches? Thanks to HFNetChk Pro, a few clicks tells me
what patches ISA needs (as well as Windows, Exchange, SQL, IE, IIS, etc. for
my entire LAN) and deploys & installs the patches for me. I'd argue that a
fully patched ISA server is more secure than an unpatched Cisco firewall . .
.
Ok, I'll step down from Susan's soapbox now . . . ;^)
Personally, I always run SBS w/ two nics, ISA & a hardware router/firewall.
Now, I'll be the first person to admit that by hardware router/firewall, I'm
talking about your average Linksys / D-link models. I don't expect those
$49 boxes to protect my lan from all the nasties out there - but I do expect
them to filter out all of the nasties knocking at the door so that my ISA
logs are free of any noise and show me what is coming & going from my LAN,
instead of having to sort through every freaking ping request . . . In
addition, the external router gives me the option to provide internet access
(including wireless) for customers, vendors, etc. - and have them external
to my lan. This is also nice if you want to host a basic website - grab an
old desktop, load up Windows Server and connect it to the router. You get
to host your website, but it is on a separate box external to your lan.
Also, the external router gives you room to play by keeping your server
settings static - so if you do something like switch ISPs, you most you have
to do is change the static IP in the router - you don't have to touch your
server at all . . . Finally, I have an extra layer of protection from
myself. By having the router only forward the specific ports I want to the
server, I have a bit of a safety net in case of a misconfiguration in ISA
that leaves an inbound port open. In short, there are definite benefits to
having another device between ISA & your internet connection.
-- Chad A. Gross - SBS MVP SBS ROCKS! www.msmvps.com/cgross www.gosbs.org Matt Gibson wrote: > I must disagree again. > > There is no real difference between ISA and a "hardware" firewall > (which in fact is just software running on hardware, same as ISA). I > personally feel that ISA is more vulnerable, since it's running on an > OS which IS known to have holes. Have you ever heard of a Win2k or > Win2k3 system not being patched, and being exploited? I have. > > Who's to say there won't be an exploit against ISA next week? Are you > trying to say that anyone who isn't running ISA is running a risk? > > I personally use a PIX firewall infront of my ISA server. Admittidly > this is for a back to back DMZ, but the increased security still > stands. I admit this requires more in the way of configuration, but > heck, it helps me sleeps better at night. > > -Matt > > > "root" <postmaster@buchanangc.com> wrote in message > news:uWU78gKLEHA.3324@TK2MSFTNGP10.phx.gbl... >> >> "Matt Gibson" <mattg@blueedgetech.ca> wrote in message >> news:OYjWexJLEHA.2588@TK2MSFTNGP10.phx.gbl... >>> Two Firewalls also is two levels of security... >>> >>> I totally disagree that an additional HW firewall is pointless. >> >> There hasn't been a case of a properly configured two NIC ISA being >> penetrated. Ever hear of a HW firewall HW failure; I have. Also >> the HW FW must be configured and maintained. Belt and suspenders >> costs dollars and reliability(aka uptime) and they make you look >> geekie<G>. >> >>> "root" <postmaster@buchanangc.com> wrote in message >>> news:uhyGTRJLEHA.3016@tk2msftngp13.phx.gbl... >>>> >>>> "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote >>>> in message news:uibj31HLEHA.3056@TK2MSFTNGP12.phx.gbl... >>>>> Isa will work best with 2 nics. That way you really leave the >>>>> internal network sort of invisible from the outside world. >>>>> ISA (proxy) will enable you to exactly determine which >>>>> applications may enter the internet, which users may surf on the >>>>> internet, and have reports about that. It is not necessary to >>>>> have a hardware firewall if you'r e using ISA with 2 nics. >>>> >>>> Right, two NICs and ISA is the way to go. An additional HW >>>> firewall just adds and additional potential failure point and it >>>> adds a support point. >>>> >>>>> "Sonjay" <anonymous@discussions.microsoft.com> schreef in bericht >>>>> news:4f8b01c42c6e$b1138e10$a001280a@phx.gbl... >>>>>> Hi, >>>>>> >>>>>> I was wondering why should I use two nic cards instead >>>>>> of one for SBS 2k3? Is their any advantages outside of >>>>>> using ISA on the server with two nic cards. Also can >>>>>> someone explain to me what a proxy server is compared to >>>>>> using a hardware firewall? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Sonjay
- Next message: Jimmy: "RE: can not access internet, need help"
- Previous message: Chris Ard [MSFT]: "RE: Accidently reset the SIDs and now Windows 2003 SBS will not load"
- In reply to: Matt Gibson: "Re: Sbs2k3 two nics"
- Next in thread: Matt Gibson: "Re: Sbs2k3 two nics"
- Reply: Matt Gibson: "Re: Sbs2k3 two nics"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
