Re: Network Topology

Matt,

I appreciate your help. The secureftp server will have files uploaded to it
that need to be able to be moved to a server on the internal network. I'm a
little fuzzy here, I know that because of the dmz I will be blocking all
traffic from within the DMZ to our internal network, or at least that is my
understanding, however, could a computer from within my internal network
access the secureftp server sitting on the dmz and pull the files from it?
Would that be a secure/smart implementation?

David

"Matt Gibson" wrote:

> Answers inline...
>
> > I need to be able to provide secureFTP access via SFTP2 for business to
> > business data transfers that need to take place with our partners. I have
> > a
> > server that provides this service, and I can open the port on the firewall
> > to
> > that server. However, I don't know if I should be moving the hosting
> > server
> > for this server outside of the firewall to prevent that access into our
> > internal network. SBS does not act as a firewall currently.
>
> Moving it outside your firewall depends on what access it needs to the
> inside of your network. If it's solely a filesharing server that never
> needs to talk to your internal network, then it's fine to move it out there.
> If it provides other roles, then you may want to consider the impact moving
> that server will have on those roles.
>
> > I want to harden our network security as we start to interact more with
> > other corporations. Should I purchase the premium edition of SBS? Add
> > another NIC to that server, and use it as a gateway to the internet? So it
> > would be
> >
> > 1721 Router -> Pix 506E Firewall -> SBS 2003 Premium Server -> Internal
> > Network?
>
> I (and most of the MVPs) think that this is the best way to go. You can
> leaverage the application proxying abilities of ISA to your benefit, and
> provides a back to back DMZ for you.
>
> > I have read also that it's not a good idea to have DC in a DMZ, it seems
> > that SBS was designed inherently to disregard this suggestion, and maybe
> > that's appropriate, I'm not sure that's why I'm asking.
>
> You're correct, you shouldn't have a DC in a DMZ. However, with the way SBS
> is designed, the NIC that's attached to the "DMZ" doesn't really have
> anything bound to it, and it's protected by ISA. The "Do not place a DC in
> a DMZ" rule is more for a singlehomed DC that's sitting in a DMZ and
> connecting to another DC inside the internal network.
>
> > I have read some people that have the PIX handle DHCP. Is that a better
> > idea
> > than having SBS handle DHCP? I plan on having the PIX do VPN, anyone got
> > suggestions/comments about this?
>
> It depends. If you're going to be going with ISA as well, then having the
> PIX hand out DHCP addresses won't matter, since the SBS server will be doing
> that for it's own private network behind itself. If you stick with a
> singlehomed (and no ISA) SBS server, then it's up to you. Most people
> prefer to let the SBS server handle it, as it's preconfigured. If you're
> handy with the PIX, then it's just as easy to configure the PIX to do it,
> and just hand out the SBS server for DNS and WINS to the clients.
>
> > One final question, this network is small, there are about 30
> > workstations.
> > It has been setup using the class A private address space. I had a friend
> > tell me that it should've been setup using the class C private address
> > space.
> > Can anyone confirm or deny this for me, and explain why?
>
> I'd say it doesn't matter. Yes, a class C space would be more efficient,
> but since it's private, it doesn't overly matter. I've got SBS servers
> using both class C and Class A spaces, and there's no real difference. Just
> remember if you're setting up VPNs between networks that (most of the time),
> the networks have to have different network ranges.
>
> > Any questions or comments about this or any other portion of this post
> > would
> > be great. Thanks all!
>
> Let ME know if I made any sense :)
>
> Matt Gibson - GSEC
>
>
>
.

Relevant Pages

  • Re: Fully parallel Scheme-based language w/ evaluator
    ... Windows Server 2003 and networks in simple - and irreverent - terms. ... If networking really is a big deal, ... Concepts and Terminology in Part I, and The Design and Deployment of Network ...
    (comp.lang.misc)
  • Re: Network Topology
    ... > server that provides this service, and I can open the port on the firewall ... inside of your network. ... provides a back to back DMZ for you. ... PIX hand out DHCP addresses won't matter, since the SBS server will be doing ...
    (microsoft.public.windows.server.sbs)
  • RE: Problems with Permissions
    ... You cannot create network share place from SBS server ... to XP client even you had delegate full control permission to the share ... RJ45 Cable from the Modem to the external NIC of SBS server. ...
    (microsoft.public.windows.server.sbs)
  • RE: Server Re-Setup Help
    ... Can I conform to your network topology as follows: ... ->SBS server ... the SBS server box is the same as the internet computers although they are ... server is transferred in internet since they have different public IP. ...
    (microsoft.public.windows.server.sbs)
  • Re: Trouble integrating existing SBS 2003 server into a home netwo
    ... Ethernet adapter Network Connection: ... Connection-specific DNS Suffix. ... Ethernet adapter Server Local Area Connection: ... mentioned about setting up the SBS server. ...
    (microsoft.public.windows.server.sbs)