Re: Network Topology
- From: "David G." <DavidG@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 8 Apr 2005 15:07:04 -0700
Matt to implement the DMZ then I would need a switch after the 506e? Which
led to the SBS Server which is going to act as an internal firewall, and all
other ports on that switch would be used for machines I would have a need to
place in a DMZ. Is that correct? Then I use ISA to limit traffic into the
internal network. It's my understanding that I can use ISA to limit internet
access all the way down to the client level. For example our customer service
employees should only have access to our corporate websites, but nothing else
on the public web. Is all of that possible under this configuration..
"David G." wrote:
> Matt,
>
> I appreciate your help. The secureftp server will have files uploaded to it
> that need to be able to be moved to a server on the internal network. I'm a
> little fuzzy here, I know that because of the dmz I will be blocking all
> traffic from within the DMZ to our internal network, or at least that is my
> understanding, however, could a computer from within my internal network
> access the secureftp server sitting on the dmz and pull the files from it?
> Would that be a secure/smart implementation?
>
> David
>
> "Matt Gibson" wrote:
>
> > Answers inline...
> >
> > > I need to be able to provide secureFTP access via SFTP2 for business to
> > > business data transfers that need to take place with our partners. I have
> > > a
> > > server that provides this service, and I can open the port on the firewall
> > > to
> > > that server. However, I don't know if I should be moving the hosting
> > > server
> > > for this server outside of the firewall to prevent that access into our
> > > internal network. SBS does not act as a firewall currently.
> >
> > Moving it outside your firewall depends on what access it needs to the
> > inside of your network. If it's solely a filesharing server that never
> > needs to talk to your internal network, then it's fine to move it out there.
> > If it provides other roles, then you may want to consider the impact moving
> > that server will have on those roles.
> >
> > > I want to harden our network security as we start to interact more with
> > > other corporations. Should I purchase the premium edition of SBS? Add
> > > another NIC to that server, and use it as a gateway to the internet? So it
> > > would be
> > >
> > > 1721 Router -> Pix 506E Firewall -> SBS 2003 Premium Server -> Internal
> > > Network?
> >
> > I (and most of the MVPs) think that this is the best way to go. You can
> > leaverage the application proxying abilities of ISA to your benefit, and
> > provides a back to back DMZ for you.
> >
> > > I have read also that it's not a good idea to have DC in a DMZ, it seems
> > > that SBS was designed inherently to disregard this suggestion, and maybe
> > > that's appropriate, I'm not sure that's why I'm asking.
> >
> > You're correct, you shouldn't have a DC in a DMZ. However, with the way SBS
> > is designed, the NIC that's attached to the "DMZ" doesn't really have
> > anything bound to it, and it's protected by ISA. The "Do not place a DC in
> > a DMZ" rule is more for a singlehomed DC that's sitting in a DMZ and
> > connecting to another DC inside the internal network.
> >
> > > I have read some people that have the PIX handle DHCP. Is that a better
> > > idea
> > > than having SBS handle DHCP? I plan on having the PIX do VPN, anyone got
> > > suggestions/comments about this?
> >
> > It depends. If you're going to be going with ISA as well, then having the
> > PIX hand out DHCP addresses won't matter, since the SBS server will be doing
> > that for it's own private network behind itself. If you stick with a
> > singlehomed (and no ISA) SBS server, then it's up to you. Most people
> > prefer to let the SBS server handle it, as it's preconfigured. If you're
> > handy with the PIX, then it's just as easy to configure the PIX to do it,
> > and just hand out the SBS server for DNS and WINS to the clients.
> >
> > > One final question, this network is small, there are about 30
> > > workstations.
> > > It has been setup using the class A private address space. I had a friend
> > > tell me that it should've been setup using the class C private address
> > > space.
> > > Can anyone confirm or deny this for me, and explain why?
> >
> > I'd say it doesn't matter. Yes, a class C space would be more efficient,
> > but since it's private, it doesn't overly matter. I've got SBS servers
> > using both class C and Class A spaces, and there's no real difference. Just
> > remember if you're setting up VPNs between networks that (most of the time),
> > the networks have to have different network ranges.
> >
> > > Any questions or comments about this or any other portion of this post
> > > would
> > > be great. Thanks all!
> >
> > Let ME know if I made any sense :)
> >
> > Matt Gibson - GSEC
> >
> >
> >
.
- Follow-Ups:
- Re: Network Topology
- From: Matt Gibson
- Re: Network Topology
- References:
- Network Topology
- From: David G.
- Re: Network Topology
- From: Matt Gibson
- Re: Network Topology
- From: David G.
- Network Topology
- Prev by Date: Internet access behind win xp sp2
- Next by Date: Re: PGP on SBS
- Previous by thread: Re: Network Topology
- Next by thread: Re: Network Topology
- Index(es):
Relevant Pages
|
