Re: Firewall on a single NIC SBS2003 Standard edition
From: DonDinCT (DonDinCT_at_discussions.microsoft.com)
Date: 10/31/04
- Next message: WK: "Re: HP JETADMIN"
- Previous message: robomonkey: "Configuring internet for direct broadband use?"
- Next in thread: Frank McCallister SBS MVP: "Re: Firewall on a single NIC SBS2003 Standard edition"
- Reply: Frank McCallister SBS MVP: "Re: Firewall on a single NIC SBS2003 Standard edition"
- Reply: Les Connor: "Re: Firewall on a single NIC SBS2003 Standard edition"
- Reply: Lanwench [MVP - Exchange]: "Re: Firewall on a single NIC SBS2003 Standard edition"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 31 Oct 2004 07:32:01 -0800
LW
On the subject of:
" Well, if you're wanting to run the firewall on a single NIC, you aren't
understanding how it works. :) You must use two interfaces to peform this,
SBS/Windows or no - one configured for the internal network, one for the
external. Regardless, by wishing this would work, you're asking your server
to do the same thing it would do in a two NIC/ISA setup, essentially, so
you've contradicted yourself. Don't ask the server to do *everything*, or if
you are, do it the way it's meant to....two NICs, ISA or no."
I'm not sure why you think you can't run a firewall, on a server, with a
single NIC. I'm running Sygate firewall on my single NIC SBS, and almost
100% of all windows XP machines run a firewall on a single NIC. Granted, I
have to open ports to allow the traffic that I want, but Sygate closes off
all the other ports. This mode is not the same as a two nic SBS, since
internet traffic from the workstations don't have to go through the SBS. If
my server was to get comprimised, and some trojan or worm gets planted,
Sygate would restrict the app from getting out of the SBS machine. I would
rather have SBS to allow me to run it's native firewall in this mode, rather
than having to use a third party software firewall. On a side note, I'm not
sure if the Microsoft firewalls actually restrict outbound internet access
from non-allowed apps, which Sygate does. At the perimeter, The hardware
router would dish out DHCP and give out the Local SBS IP for DNS. The
workstations resolve DNS through the SBS, but traffic goes only through the
router. If the SBS gets compromised/hacked/etc., It can be taken offline, the
perimiter router can be quickly reprogrammed with the DNS of the ISP,
workstations can do an ipconfig /renew, and be back on the Internet quickly.
It just happens that most of my clients rely more on internet access for
business continuity, than server services.
With that said, ISA server does seem to offer a lot of goodness in the SBS
premium edition. The bang for the buck for the SBS premium edition (another
~$500 ove the standard package) is a bargain if you want ISA functionality.
Adding a 5 user ISA machine at the perimeter would be about $2500 in software
alone (Server 2003 + ISA Server). That extra $500 for the premium edition,
over the standard edition, is a bargain (compared to a stand alone ISA box).
Ut oh... I'm slowly turning to the 'Dark Side', and beginning to think that
an all in one solution (SBS premium) has some real functional benefits, that
outweigh my reservations of a 'one box doing everything' solution.
Happy Halloween
D
"Lanwench [MVP - Exchange]" wrote:
> DonDinCT wrote:
> > hello again LW
> >
> > I'm on the same page with you, that a domain controller/exchange
> > server shouldn't also be the gateway/firewall. It seems that many
> > people on here are enamored with the idea that SBS can do everything,
> > and want it it do everything.
>
> It can do a heck of a lot of things.
> >
> > After all the good input on this thread, I stand firm on saying that
> > Microsoft should allow SBS to run it's firewall on a single NIC
> > server, just to protect itself. Being an MCSE, I'm also a bit
> > Microsoft brainwashed, but dam**it Microsoft, give me my single NIC
> > firewall !!! <G>
>
> Well, if you're wanting to run the firewall on a single NIC, you aren't
> understanding how it works. :) You must use two interfaces to peform this,
> SBS/Windows or no - one configured for the internal network, one for the
> external. Regardless, by wishing this would work, you're asking your server
> to do the same thing it would do in a two NIC/ISA setup, essentially, so
> you've contradicted yourself. Don't ask the server to do *everything*, or if
> you are, do it the way it's meant to....two NICs, ISA or no.
>
> So if it were me, I'd ditch this dream, get a decent hardware firewall
> appliance in there at the perimeter (between Internet modem/router and LAN),
> and use it. All servers/clients can point at its LAN IP for the gateway and
> don't go through the server at all for Internet access, which is what *my*
> point is in liking this setup.
>
> >
> > To those reading this thread, that prefer a two NIC SBS setup.... Go
> > for it ! Every feature of SBS that gets wrung out by users, makes
> > the product better, and if I ever try a two NIC SBS install, you will
> > have ironed out the bugs for me :) (thanks in advance for that).
> >
> > Have a good halloween !!
> > D
> >
> > "Lanwench [MVP - Exchange]" wrote:
> >
> >> DonDinCT wrote:
> >>> Hi LW
> >>> I agree with you on having a seperate router/firewall/gateway/ISA on
> >>> the perimiter, rather than having SBS be the 'do everything' box.
> >>> One huge reason I like the linksys type router on the perimeter, is
> >>> because it is so easy to check the status of the internet
> >>> connection. I have a lot of people using DSL and pppoe. Usually
> >>> things are rock solid, but SBC does have network hiccups... at
> >>> least once a month, SBC will drop the PPPOE connection, and
> >>> sometimes the ISP will be down for about 10 minutes. It requires
> >>> that I either reboot the router or tell the router to 'connect',
> >>> when this occurs. The cable IPS providers in my area use dynamic IP
> >>> without pppoe, so hiccups on thier systems seem more transparent.
> >>> A 1.5M DSL connection in my area is about $27 vs. about $42 for a
> >>> comprable cable ISP connection. That's close to a few hundred
> >>> dollars a year saving, which most of my clients want in thier
> >>> pocket, not the ISP's, so most of them go with DSL.
> >>
> >> If they don't mind that they will have more hiccups, then fine -
> >> I've had better luck with cable, but I understand small business
> >> budgets all too well.
> >>>
> >>> I really like a router at the perimeter, so that clients can open a
> >>> browser and easily check the status of the connection, and reconnect
> >>> if there has been a hiccup. If I let SBS do my firewall/gateway
> >>> connection, I'd have to drill into the server to get status.
> >>> Checking/reconnecting the connection on SBS has to be a fairly
> >>> involved process, but I haven't actually tried it. Please comment if
> >>> you have.
> >>
> >> I don't use ISA on SBS, so I can't comment...sorry. I just don't
> >> think a domain controller/Exchange server should also be a
> >> router/firewall. Just my preference. I don't use ICS on small home
> >> networks, either - hardware appliances are so inexpensive I don't
> >> see the point.
> >>>
> >>> I really do like hearing all the other peoples opinions on this
> >>> subject.
> >>> The more I hear on the subject, the more I like the 'hardware
> >>> router/firewall' on the perimeter, and SBS with a single NIC.
> >>>
> >>> I haven't looked at sonicwall, but I will.
> >>
> >> They are very good in my experience - I usually get the VPN capable
> >> ones for clients who want VPN (proprietary IPSec VPN client) -
> >> they're worth the money in my view. I had to work with a Watchguard
> >> the other week (configured by someone else) and I wanted to pull my
> >> hair out after ten minutes. Your mileage may vary.
> >>
> >>> One of the people in this
> >>> therad suggested 'Smoothwall' which is a Linux firewall. I've spent
> >>> a few hours on that site, and I've read the manual quickly. It
> >>> really looks like a Kick Azz product, and it's Free!!
> >>
> >> Note - it can be fabulous stuff, but Linux is not truly FREE.
> >> Nothing is free. Nothing is secure right out of the box. There may
> >> be hidden costs, even if they aren't monetary in nature.... I have
> >> no gripes with *nix at all - if you can learn it and use it, it's
> >> great - and great experience for you. Don't deploy this/rely on it
> >> until you're sure its set up 100% right!
> >>
> >>> What really
> >>> got me excited abuot the product was that it has the Snort intrusion
> >>> detection engine built in. everything I've read about Snort, shows
> >>> it as an industrail strength ID system.
> >>
> >> Yep...I've heard good things about it too.
> >>>
> >>> Thanks for the great information
> >>> D
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> "Lanwench [MVP - Exchange]" wrote:
> >>>
> >>>> DonDinCT wrote:
> >>>>> Frank
> >>>>>
> >>>>> - ZoneAlarm is designed for PC's on networks.
> >>>>> - I use ZA on PC's/workstations, not on SBS
> >>>>
> >>>> You still need to protect your network at the perimeter. Don't rely
> >>>> only on software firewalls on your clients.
> >>>>
> >>>>> - ZA is better than the SP2 firewall for XP (IMHO), but I'm using
> >>>>> SP2's firewall on several PC's, just to compare.
> >>>>> - Microsoft is pushing the two NIC solution, but it's not the only
> >>>>> way to do it. I'm more comfortable having a hardware
> >>>>> router/firewall on the perimeter, and not having SBS between the
> >>>>> router and the workstations.
> >>>>
> >>>> I'm with you on this one. ISA is fine, but if I want it, I want it
> >>>> on a dedicated box, not on my DC/Exchange/whatnot server.
> >>>> I use a single NIC, and generally use Sonicwalls - really like
> >>>> them. Have you checked out the TZ series? Heck, even your Linksys
> >>>> isn't a bad solution.
> >>>>>
> >>>>> D
> >>>>>
> >>>>> "Frank McCallister SBS MVP" wrote:
> >>>>>
> >>>>>> The Zone Alarm solution is not designed for networks and you are
> >>>>>> building in trouble with SBS using it, especially with XP SP2.
> >>>>>> You are not seeing the SBS concept of protecting your WS with the
> >>>>>> server and two NICs
> >>>>>>
> >>>>>> --
> >>>>>> Frank McCallister SBS MVP
> >>>>>> COMPUMAC
> >>>>>> "DonDinCT" <DonDinCT@discussions.microsoft.com> wrote in message
> >>>>>> news:DF00E6D5-1AFF-4965-BED4-39021A73B866@microsoft.com...
> >>>>>>> Thanks for the great input !!!!
> >>>>>>>
> >>>>>>> Lanwench: Great call on the DHCP/DNS issue !!
> >>>>>>>
> >>>>>>> Heiko: Tell me more about the Linus firewall, it's a technical
> >>>>>>> experiment I've wanted to try for a while. I have an older PC
> >>>>>>> that I could dedicate to
> >>>>>>> that.
> >>>>>>>
> >>>>>>> Frank: I've had good luck with several Linksys BEFX41
> >>>>>>> broadband/firewall/VPN endpoint routers. I also use ZoneAlarm
> >>>>>>> software firewalls on all PC's/Workstations. I've spent many
> >>>>>>> hours looking at the sub
> >>>>>>> $500 broadband routers and firewalls, but haven't seen anything
> >>>>>>> that appears
> >>>>>>> to be significanty better that the BEFX41/ZoneAlarm combination.
> >>>>>>> The clients
> >>>>>>> I've set up are very cost sensitive. I looked at the Cisco 831
> >>>>>>> for about $$450, but I didn't see how it was worth five times
> >>>>>>> the cost of the BEFSX41.
> >>>>>>> I looked at the Cisco Pix 501, and if it could make a bradband
> >>>>>>> connection to
> >>>>>>> an ISP, it would be a great all in one unit, but alas, it can't,
> >>>>>>> and it's just a firewall appliance. I'm open to suggestions on
> >>>>>>> other hardware routers/firewalls.
> >>>>>>>
> >>>>>>> Thanks
> >>>>>>> D
> >>>>>>>
> >>>>>>> "DonDinCT" wrote:
> >>>>>>>
> >>>>>>>> Thanks Frank
> >>>>>>>>
> >>>>>>>> I don't want the workstations to have to go through the server
> >>>>>>>> to get to the
> >>>>>>>> internet. I let the router DHCP dish out it's info to the
> >>>>>>>> workstations and
> >>>>>>>> the server. I prefer this method since the internet connction
> >>>>>>>> for the workstations is not governed by the server, and if the
> >>>>>>>> server goes down, or
> >>>>>>>> needs maintainance, I can tell users that the internet is still
> >>>>>>>> up, but the
> >>>>>>>> server is temporarily down for maintainance. It just seems
> >>>>>>>> sad, that I can't
> >>>>>>>> use the firewall in in a single NIC solution, but it appears
> >>>>>>>> that's how it
> >>>>>>>> is. I'm using Sygate Firewall on my server at this point.
> >>>>>>>>
> >>>>>>>> "Frank McCallister SBS MVP" wrote:
> >>>>>>>>
> >>>>>>>>> In order to use the SBS Firewall the Workstations must access
> >>>>>>>>> the outside
> >>>>>>>>> world thru the SBS. See setup in
> >>>>>>>>> http://www.smallbizserver.net/Default.aspx?tabid=52 (Ignore
> >>>>>>>>> the ISA parts
> >>>>>>>>> for Standard)
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Frank McCallister SBS MVP
> >>>>>>>>> COMPUMAC
> >>>>>>>>> "DonDinCT" <DonDinCT@discussions.microsoft.com> wrote in
> >>>>>>>>> message
> >>>>>>>>> news:893C9090-6D44-4238-915E-4DA094184703@microsoft.com...
> >>>>>>>>>> After reading many post and tech notes, I've come to the
> >>>>>>>>>> conclusion that
> >>>>>>>>>> an
> >>>>>>>>>> SBS2003 server (standard edition), with one NIC, will not
> >>>>>>>>>> install/run,
> >>>>>>>>>> it's
> >>>>>>>>>> firewall. Tell me if i'm wrong on this! I've got a basic
> >>>>>>>>>> broadband connection with a linksys router doing NAT and
> >>>>>>>>>> DHCP. The server sits on
> >>>>>>>>>> the
> >>>>>>>>>> LAN side with a static local IP. I wanted to use the
> >>>>>>>>>> internal firewall to
> >>>>>>>>>> protect the server on the local LAN. Everything I read says
> >>>>>>>>>> that the firewall will not run without two NICs....
> >>>>>>>>>>
> >>>>>>>>>> Two questions:
> >>>>>>>>>>
> >>>>>>>>>> 1. Can I install a second NIC as a placeholder (and not
> >>>>>>>>>> connect to it), to
> >>>>>>>>>> get the firewall feature for the LAN side NIC ?
> >>>>>>>>>> 2. Has anyone gotten the firewall runnig with a single NIC
> >>>>>>>>>> server ?
> >>>>>>>>>>
> >>>>>>>>>> PS... I've installed Sygate Personal Firewall as an intrim
> >>>>>>>>>> solution.
> >>>>>>>>>>
> >>>>>>>>>> Thanks
> >>>>>>>>>> D
>
>
>
- Next message: WK: "Re: HP JETADMIN"
- Previous message: robomonkey: "Configuring internet for direct broadband use?"
- Next in thread: Frank McCallister SBS MVP: "Re: Firewall on a single NIC SBS2003 Standard edition"
- Reply: Frank McCallister SBS MVP: "Re: Firewall on a single NIC SBS2003 Standard edition"
- Reply: Les Connor: "Re: Firewall on a single NIC SBS2003 Standard edition"
- Reply: Lanwench [MVP - Exchange]: "Re: Firewall on a single NIC SBS2003 Standard edition"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
