Re: Firewall on a single NIC SBS2003 Standard edition

From: Frank McCallister SBS MVP (anonymous)
Date: 10/31/04

• Next message: Les Connor: "Re: Firewall on a single NIC SBS2003 Standard edition"
• Previous message: Lanwench [MVP - Exchange]: "Re: Changing IP addresses SBS 2000 Network"
• In reply to: DonDinCT: "Re: Firewall on a single NIC SBS2003 Standard edition"
• Next in thread: Les Connor: "Re: Firewall on a single NIC SBS2003 Standard edition"
• Messages sorted by: [ date ] [ thread ]

Date: Sun, 31 Oct 2004 09:42:45 -0600

On a side note, I'm not
sure if the Microsoft firewalls actually restrict outbound internet access
from non-allowed apps, which Sygate does.

Yes ISA restricts access either/or inbound outbound in two NIC configuration

-- 
Frank McCallister SBS MVP
COMPUMAC
"DonDinCT" <DonDinCT@discussions.microsoft.com> wrote in message 
news:C401C653-212F-4483-904C-0C108ABD80F0@microsoft.com...
> LW
>
> On the subject of:
>
> " Well, if you're wanting to run the firewall on a single NIC, you aren't
> understanding how it works. :) You must use two interfaces to peform this,
> SBS/Windows or no - one configured for the internal network, one for the
> external. Regardless, by wishing this would work, you're asking your 
> server
> to do the same thing it would do in a two NIC/ISA setup, essentially, so
> you've contradicted yourself. Don't ask the server to do *everything*, or 
> if
> you are, do it the way it's meant to....two NICs, ISA or no."
>
> I'm not sure why you think you can't run a firewall, on a server, with a
> single NIC.  I'm running Sygate firewall on my single NIC SBS, and almost
> 100% of all windows XP machines run a firewall on a single NIC.  Granted, 
> I
> have to open ports to allow the traffic that I want, but Sygate closes off
> all the other ports.  This mode is not the same as a two nic SBS, since
> internet traffic from the workstations don't have to go through the SBS. 
> If
> my server was to get comprimised, and some trojan or worm gets planted,
> Sygate would restrict the app from getting out of the SBS machine.  I 
> would
> rather have SBS to allow me to run it's native firewall in this mode, 
> rather
> than having to use a third party software firewall.  On a side note, I'm 
> not
> sure if the Microsoft firewalls actually restrict outbound internet access
> from non-allowed apps, which Sygate does.  At the perimeter, The hardware
> router would dish out DHCP and give out the Local SBS IP for DNS.  The
> workstations resolve DNS through the SBS, but traffic goes only through 
> the
> router. If the SBS gets compromised/hacked/etc., It can be taken offline, 
> the
> perimiter router can be quickly reprogrammed with the DNS of the ISP,
> workstations can do an ipconfig /renew, and be back on the Internet 
> quickly.
> It just happens that most of my clients rely more on internet access for
> business continuity, than server services.
>
> With that said, ISA server does seem to offer a lot of goodness in the SBS
> premium edition.   The bang for the buck for the SBS premium edition 
> (another
> ~$500 ove the standard package) is a bargain if you want ISA 
> functionality.
> Adding a 5 user ISA machine at the perimeter would be about $2500 in 
> software
> alone (Server 2003 + ISA Server).  That extra $500 for the premium 
> edition,
> over the standard edition, is a bargain (compared to a stand alone ISA 
> box).
> Ut oh... I'm slowly turning to the 'Dark Side', and beginning to think 
> that
> an all in one solution (SBS premium) has some real functional benefits, 
> that
> outweigh my reservations of a 'one box doing everything' solution.
>
> Happy Halloween
> D
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> DonDinCT wrote:
>> > hello again LW
>> >
>> > I'm on the same page with you, that a domain controller/exchange
>> > server shouldn't also be the gateway/firewall.  It seems that many
>> > people on here are enamored with the idea that SBS can do everything,
>> > and want it it do everything.
>>
>> It can do a heck of a lot of things.
>> >
>> > After all the good input on this thread, I stand firm on saying that
>> > Microsoft should allow SBS to run it's firewall on a single NIC
>> > server, just to protect itself.  Being an MCSE, I'm also a bit
>> > Microsoft brainwashed, but dam**it  Microsoft, give me my single NIC
>> > firewall !!! <G>
>>
>> Well, if you're wanting to run the firewall on a single NIC, you aren't
>> understanding how it works. :) You must use two interfaces to peform 
>> this,
>> SBS/Windows or no - one configured for the internal network, one for the
>> external. Regardless, by wishing this would work, you're asking your 
>> server
>> to do the same thing it would do in a two NIC/ISA setup, essentially, so
>> you've contradicted yourself. Don't ask the server to do *everything*, or 
>> if
>> you are, do it the way it's meant to....two NICs, ISA or no.
>>
>> So if it were me, I'd ditch this dream, get a decent hardware firewall
>> appliance in there at the perimeter (between Internet modem/router and 
>> LAN),
>> and use it. All servers/clients can point at its LAN IP for the gateway 
>> and
>> don't go through the server at all for Internet access, which is what 
>> *my*
>> point is in liking this setup.
>>
>> >
>> > To those reading this thread, that prefer a two NIC SBS setup.... Go
>> > for it !  Every feature of SBS that gets wrung out by users, makes
>> > the product better, and if I ever try a two NIC SBS install, you will
>> > have ironed out the bugs for me :)  (thanks in advance for that).
>> >
>> >  Have a good halloween !!
>> > D
>> >
>> > "Lanwench [MVP - Exchange]" wrote:
>> >
>> >> DonDinCT wrote:
>> >>> Hi LW
>> >>> I agree with you on having a seperate router/firewall/gateway/ISA on
>> >>> the perimiter, rather than having SBS be the 'do everything' box.
>> >>> One huge reason I like the linksys type router on the perimeter, is
>> >>> because it is so easy to check the status of the internet
>> >>> connection. I have a lot of people using DSL and pppoe.  Usually
>> >>> things are rock solid, but SBC does have network hiccups... at
>> >>> least once a month, SBC will drop the PPPOE connection, and
>> >>> sometimes the ISP will be down for about 10 minutes.  It requires
>> >>> that I either reboot the router or tell the router to 'connect',
>> >>> when this occurs. The cable IPS providers in my area use dynamic IP
>> >>> without pppoe, so hiccups on thier systems seem more transparent.
>> >>> A 1.5M DSL connection in my area is about $27 vs. about $42 for a
>> >>> comprable cable ISP connection. That's close to a few hundred
>> >>> dollars a year saving, which most of my clients want in thier
>> >>> pocket, not the ISP's, so most of them go with DSL.
>> >>
>> >> If they don't mind that they will have more hiccups, then fine -
>> >> I've had better luck with cable, but I understand small business
>> >> budgets all too well.
>> >>>
>> >>> I really like a router at the perimeter, so that clients can open a
>> >>> browser and easily check the status of the connection, and reconnect
>> >>> if there has been a hiccup. If I let SBS do my firewall/gateway
>> >>> connection, I'd have to drill into the server to get status.
>> >>> Checking/reconnecting the connection on SBS has to be a fairly
>> >>> involved process, but I haven't actually tried it. Please comment if
>> >>> you have.
>> >>
>> >> I don't use ISA on SBS, so I can't comment...sorry. I just don't
>> >> think a domain controller/Exchange server should also be a
>> >> router/firewall. Just my preference. I don't use ICS on small home
>> >> networks, either - hardware appliances are so inexpensive I don't
>> >> see the point.
>> >>>
>> >>> I really do like hearing all the other peoples opinions on this
>> >>> subject.
>> >>> The more I hear on the subject, the more I like the 'hardware
>> >>> router/firewall' on the perimeter, and SBS with a single NIC.
>> >>>
>> >>> I haven't looked at sonicwall, but I will.
>> >>
>> >> They are very good in my experience - I usually get the VPN capable
>> >> ones for clients who want VPN (proprietary IPSec VPN client) -
>> >> they're worth the money in my view.  I had to work with a Watchguard
>> >> the other week (configured by someone else) and I wanted to pull my
>> >> hair out after ten minutes. Your mileage may vary.
>> >>
>> >>> One of the people in this
>> >>> therad suggested 'Smoothwall' which is a Linux firewall.  I've spent
>> >>> a few hours on that site, and I've read the manual quickly.  It
>> >>> really looks like a Kick Azz product, and it's Free!!
>> >>
>> >> Note - it can be fabulous stuff, but Linux is not truly FREE.
>> >> Nothing is free. Nothing is secure right out of the box. There may
>> >> be hidden costs, even if they aren't monetary in nature.... I have
>> >> no gripes with *nix at all - if you can learn it and use it, it's
>> >> great - and great experience for you. Don't deploy this/rely on it
>> >> until you're sure its set up 100% right!
>> >>
>> >>> What really
>> >>> got me excited abuot the product was that it has the Snort intrusion
>> >>> detection engine built in.  everything I've read about Snort, shows
>> >>> it as an industrail strength ID system.
>> >>
>> >> Yep...I've heard good things about it too.
>> >>>
>> >>> Thanks for the great information
>> >>> D
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> "Lanwench [MVP - Exchange]" wrote:
>> >>>
>> >>>> DonDinCT wrote:
>> >>>>> Frank
>> >>>>>
>> >>>>> - ZoneAlarm is designed for PC's on networks.
>> >>>>> - I use ZA on PC's/workstations, not on SBS
>> >>>>
>> >>>> You still need to protect your network at the perimeter. Don't rely
>> >>>> only on software firewalls on your clients.
>> >>>>
>> >>>>> - ZA is better than the SP2 firewall for XP (IMHO), but I'm using
>> >>>>> SP2's firewall on several PC's, just to compare.
>> >>>>> - Microsoft is pushing the two NIC solution, but it's not the only
>> >>>>> way to do it.  I'm more comfortable having a hardware
>> >>>>> router/firewall on the perimeter, and not having SBS between the
>> >>>>> router and the workstations.
>> >>>>
>> >>>> I'm with you on this one. ISA is fine, but if I want it, I want it
>> >>>> on a dedicated box, not on my DC/Exchange/whatnot server.
>> >>>> I use a single NIC, and generally use Sonicwalls - really like
>> >>>> them. Have you checked out the TZ series? Heck, even your Linksys
>> >>>> isn't a bad solution.
>> >>>>>
>> >>>>> D
>> >>>>>
>> >>>>> "Frank McCallister SBS MVP" wrote:
>> >>>>>
>> >>>>>> The Zone Alarm solution is not designed for networks and you are
>> >>>>>> building in trouble with SBS using it, especially with XP SP2.
>> >>>>>> You are not seeing the SBS concept of protecting your WS with the
>> >>>>>> server and two NICs
>> >>>>>>
>> >>>>>> --
>> >>>>>> Frank McCallister SBS MVP
>> >>>>>> COMPUMAC
>> >>>>>> "DonDinCT" <DonDinCT@discussions.microsoft.com> wrote in message
>> >>>>>> news:DF00E6D5-1AFF-4965-BED4-39021A73B866@microsoft.com...
>> >>>>>>> Thanks for the great input !!!!
>> >>>>>>>
>> >>>>>>> Lanwench:  Great call on the DHCP/DNS issue !!
>> >>>>>>>
>> >>>>>>> Heiko: Tell me more about the Linus firewall, it's a technical
>> >>>>>>> experiment I've wanted to try for a while.  I have an older PC
>> >>>>>>> that I could dedicate to
>> >>>>>>> that.
>> >>>>>>>
>> >>>>>>> Frank:  I've had good luck with several Linksys BEFX41
>> >>>>>>> broadband/firewall/VPN endpoint routers.  I also use ZoneAlarm
>> >>>>>>> software firewalls on all PC's/Workstations.  I've spent many
>> >>>>>>> hours looking at the sub
>> >>>>>>> $500 broadband routers and firewalls, but haven't seen anything
>> >>>>>>> that appears
>> >>>>>>> to be significanty better that the BEFX41/ZoneAlarm combination.
>> >>>>>>> The clients
>> >>>>>>> I've set up are very cost sensitive. I looked at the Cisco 831
>> >>>>>>> for about $$450, but I didn't see how it was worth five times
>> >>>>>>> the cost of the BEFSX41.
>> >>>>>>> I looked at the Cisco Pix 501, and if it could make a bradband
>> >>>>>>> connection to
>> >>>>>>> an ISP, it would be a great all in one unit, but alas, it can't,
>> >>>>>>> and it's just a firewall appliance.   I'm open to suggestions on
>> >>>>>>> other hardware routers/firewalls.
>> >>>>>>>
>> >>>>>>> Thanks
>> >>>>>>> D
>> >>>>>>>
>> >>>>>>> "DonDinCT" wrote:
>> >>>>>>>
>> >>>>>>>> Thanks Frank
>> >>>>>>>>
>> >>>>>>>> I don't want the workstations to have to go through the server
>> >>>>>>>> to get to the
>> >>>>>>>> internet.  I let the router DHCP dish out it's info to the
>> >>>>>>>> workstations and
>> >>>>>>>> the server.  I prefer this method since the internet connction
>> >>>>>>>> for the workstations is not governed by the server, and if the
>> >>>>>>>> server goes down, or
>> >>>>>>>> needs maintainance, I can tell users that the internet is still
>> >>>>>>>> up, but the
>> >>>>>>>> server is temporarily down for maintainance.  It just seems
>> >>>>>>>> sad, that I can't
>> >>>>>>>> use the firewall in in a single NIC solution, but it appears
>> >>>>>>>> that's how it
>> >>>>>>>> is.  I'm using Sygate Firewall on my server at this point.
>> >>>>>>>>
>> >>>>>>>> "Frank McCallister SBS MVP" wrote:
>> >>>>>>>>
>> >>>>>>>>> In order to use the SBS Firewall the Workstations must access
>> >>>>>>>>> the outside
>> >>>>>>>>> world thru the SBS. See setup in
>> >>>>>>>>> http://www.smallbizserver.net/Default.aspx?tabid=52 (Ignore
>> >>>>>>>>> the ISA parts
>> >>>>>>>>> for Standard)
>> >>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>> Frank McCallister SBS MVP
>> >>>>>>>>> COMPUMAC
>> >>>>>>>>> "DonDinCT" <DonDinCT@discussions.microsoft.com> wrote in
>> >>>>>>>>> message
>> >>>>>>>>> news:893C9090-6D44-4238-915E-4DA094184703@microsoft.com...
>> >>>>>>>>>> After reading many post and tech notes, I've come to the
>> >>>>>>>>>> conclusion that
>> >>>>>>>>>> an
>> >>>>>>>>>> SBS2003 server (standard edition), with one NIC, will not
>> >>>>>>>>>> install/run,
>> >>>>>>>>>> it's
>> >>>>>>>>>> firewall.  Tell me if i'm wrong on this!  I've got a basic
>> >>>>>>>>>> broadband connection with a linksys router doing NAT and
>> >>>>>>>>>> DHCP. The server sits on
>> >>>>>>>>>> the
>> >>>>>>>>>> LAN side with a static local IP.  I wanted to use the
>> >>>>>>>>>> internal firewall to
>> >>>>>>>>>> protect the server on the local LAN.  Everything I read says
>> >>>>>>>>>> that the firewall will not run without two NICs....
>> >>>>>>>>>>
>> >>>>>>>>>> Two questions:
>> >>>>>>>>>>
>> >>>>>>>>>> 1. Can I install a second NIC as a placeholder (and not
>> >>>>>>>>>> connect to it), to
>> >>>>>>>>>> get the firewall feature for the LAN side NIC ?
>> >>>>>>>>>> 2. Has anyone gotten the firewall runnig with a single NIC
>> >>>>>>>>>> server ?
>> >>>>>>>>>>
>> >>>>>>>>>> PS... I've installed Sygate Personal Firewall as an intrim
>> >>>>>>>>>> solution.
>> >>>>>>>>>>
>> >>>>>>>>>> Thanks
>> >>>>>>>>>> D
>>
>>
>> 

• Next message: Les Connor: "Re: Firewall on a single NIC SBS2003 Standard edition"
• Previous message: Lanwench [MVP - Exchange]: "Re: Changing IP addresses SBS 2000 Network"
• In reply to: DonDinCT: "Re: Firewall on a single NIC SBS2003 Standard edition"
• Next in thread: Les Connor: "Re: Firewall on a single NIC SBS2003 Standard edition"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint