Re: best network setup?

I think you need to explore all the options rather than just following
Microsoft's line which is to tend to recommend the two NIC solution - even
though that often isn't the best option. Check the facts and see what fits
with what you will be doing. The fundamental differences are reasonably easy
to see so you can make your own decision.


1. An appliance based firewall is a separate dedicated device designed to do
just one thing - protect your network - not provide any other functions.

2. A dedicated device is generally not susceptible to the issues that affect
a server - viruses, spy ware, crashes etc. and does not rely on disk
storage/backup. It runs an independent operating system that is inherently
more secure than Windows. If you need to reboot your firewall it takes 30
seconds - not 10 minutes - and you can configure it from any platform (e.g.
via any browser or Telnet).

3. You can be sure that any changes to your server will not affect the
network configuration as this is totally separate from the server. i.e. the
firewall element is static and separate - not integrated.

4. If the SBS server is down for whatever reason all clients can still get
to the Internet - eg. They can still browse, even receive their POP mail etc.

5. If you want to allow visitors access to the Internet but not the LAN you
do this by setting up a separate zone for them on the firewall - the LAN and
server are completely isolated from them.

6. When you upgrade or change your server/clients the firewall can remain
unchanged as its a separate element.

7. Anti-virus and other features can be part of the firewall - scanning
before the junk ever gets to the server and clients. Note these are normally
subscription cost options to a standard firewall box and will put the price
up (as they do on the server).

8. VPN connections can be handled in the firewall as it is a VPN endpoint
itself - rather than the server, so the VPN data encryption/decryption is not
left for the server to cope with.

9. Contrary to what some say there are many more issues that arise with a
two NIC solution as it is a more involved configuration. A single NIC is as
simple as it gets and the way most non SBS servers run.

10. SBS doesn't rely on two NICs to provide any services other than the
firewall/proxy function (obviously!) and access controls to the Internet (at
the Windows authentication level). This is a main difference between the two
options.

If you *do* need to have Internet access controls on a user by user basis
this is easiest with the built-in SBS facilities as a firewall equivalent
uses Internet standards based user controls (eg. LDAP or RADIUS) rather than
Windows based. This means the firewall has to talk to the SBS server via,
say, LDAP to retrieve user/group names to set permissions against. The SBS
server obviously knows about all the users already so you don't have this
step.

11. Sending all your client Internet traffic through your server - which is
running email and maybe a web server already - is extra load. Having each
client access the internet via a separate route removes this.

12. Cost is definitely higher upfront with a decent appliance firewall.
Overall you will probably save this in time used to administer and configure
your network. If initial cost is high up the list then the 2 NIC solution
does exactly that - save money initially, which is why people do it that way
and its a perfectly good solution.


If you asked me for a specific recommendation then it would depend on your
setup - number of clients, number of VPN connections you may need, having
virus scanning as an option etc etc. but the Netscreen 5GT is typical.


aus.


"Brian Murphy" wrote:

> Lets not forget that I am installing the Standard edition which does not
> come with ISA. This being said, is 1 nic with a router the best way to go,
> or should I still go with 2 nics and a router?
>
>
> "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
> news:eOw4AoaNFHA.3844@xxxxxxxxxxxxxxxxxxxxxxx
> > 'proper' firewall eh?
> >
> > Is this 'proper' firewall you're referring to certified to the same level
> > as ISA? You can check here
> > http://www.icsalabs.com/html/communities/firewalls/newsite/cert2.shtml
> > if your firewall ain't listed it ain't good enough.
> >
> > ISA can only act as a firewall in a minimum 2 NIC configuration. (as can
> > any true firewall)
> >
> > MOST large companies run a multilegged firewall. Internal (leg 1),
> > external (leg 2) and optional DMZ (leg 3).
> >
> > In SBS we break a basic creed of firewall implementation, hosting the
> > firewall on the Domain Controller. I know of no security incident which
> > can be traced to this being the basic fault. ISA on SBS has proven itself
> > a reliable and safe option.
> >
> > "Aus" <Aus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:EB710370-F1BA-493A-A2A8-C61DCDA85A75@xxxxxxxxxxxxxxxx
> >>I think you find may SBS people automatically say 2 nics but I think this
> >>is
> >> a messy approach - no large company would do things this way so the
> >> hardware
> >> firewall/router to a single NIC tends to be the preferred option for me.
> >> I
> >> have yet to see the actual advantages of 2 nics over a 'proper'
> >> firewall - it
> >> seems to complicate things and you dont want that with SBS. Maybe we need
> >> to
> >> be enlightened?! (perhaps a separate thread for that question..)
> >>
> >> Not sure if nic teaming is relevant - you could never saturate a 100Mb
> >> link
> >> continuously on most networks - let alone a 1Gb link - most networks dont
> >> run
> >> like that.
> >>
> >> "Brian Murphy" wrote:
> >>
> >>> Hi,
> >>>
> >>> I just purchased a server along with a copy of Microsoft SBS 2003 STD
> >>> edition. I would like to know what the best network setup is for SBS??
> >>> Should I go with 1 or 2 nic cards in the server? Should I use a router?
> >>>
> >>> Thanks in advance!
> >>>
> >>>
> >>>
> >
> >
>
>
>
.

Relevant Pages

  • Re: CEICW fails at firewall config
    ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS VPN setup?
    ... And if you have a hardware firewall you haven't flashed in years they just got in through a exploit. ... SBS plugs into a switch with the other computers and the switch is plugged into a firewall appliance with 2-nics. ... To compare apples to apples, let us assume there is a network setup as I outlined above...and the firewall appliance is an ISA server, such as those available from Celestix. ... > learn and test the RWW solution before deploying it. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS VPN setup?
    ... The 2-nic configuration is used when the SBS server will *also* act as your network's firewall. ... You purchase 2k3 PREMIUM and that comes with ISA to handle the firewall duties. ... To compare apples to apples, let us assume there is a network setup as I outlined above...and the firewall appliance is an ISA server, such as those available from Celestix. ...
    (microsoft.public.windows.server.sbs)
  • Re: Internet on nodes
    ... disabled state (someone please confirm this for SBS Standard, ... firewall service should result in 'ISA lockdown'. ... print' from both the server and a WS. ... Was not able to connect to the internet on the WS. ...
    (microsoft.public.windows.server.sbs)
  • Re: ceicw failure on e-mail config
    ... Merv Porter [SBS MVP] ... Ethernet adapter Server Local Area Connection: ... Call to Reading the firewall selection returned ok. ... Firewall Rule: SBS DHCP Client ...
    (microsoft.public.windows.server.sbs)