Re: router - firewall

One word Sonicwall

Learn more at http://www.sonicwall.com/products/index.html
Tech

"Nathan Thomas Sr" wrote:

For $200, you can build a decent machine and run Smoothwall. Mine is a
533mhz w/ 256mb ram.
http://www.smoothwall.org/
Use the 2.0, since 3.0 is still Alpha...many people make the mistake of
getting 3.0 and find out it's buggy.

I have it in front of our Exchange server. I also have many 'mods' from
the 'homebrew' section of the support forums. Adzap, VPN, OpenSwan,
Squid, Sheilds Up, Labrea tarpit/honey pot, Guardian, etc.
The only issue I've had with it is UPS, but I haven't taken the time to
fix it; and I had Guardian extra touchy and it was blocking our DNS servers.

Leythos wrote:
In article <11trh1tqnhoem0a@xxxxxxxxxxxxxxxxxx>, bzyfon@xxxxxxxxxxxxxx
says...

hmm.... I'm not an IT guru at all :)
but isn't VPN the best way to access
company server working for example at home


Several things:

Firewall Appliances, you won't find quality units with any reasonable
set of features for under $1000 US, and most of the good ones will run
about $2000 for a full set of features like HTTP Proxy and SMTP Proxy
services that can filter content (things you don't want) out of those
sessions to provide a great level of protection.

VPN, any VPN you setup for file sharing will be slow, not because it's a
VPN, but because most users will have slow internet connections when
compared to their normal office LAN connection. What we see is people
that browse the network shares, click on a 200 meg file, then click 6
more times since it didn't open instantly, then wonder why their machine
is just sitting there - it's because it can take several minutes to
actually open a 200 meg file over a DSL/Cable connection.

Users that have dedicated workstations at the office - you can do remote
connections several ways:

1) User VPN's into firewall appliance and then RD's into their work
computer - firewall limits access to just their dedicated workstation.

2) User RWW's into company and does the same

3) User accesses workstation via RD or VNC and the firewall limits
connections to users by IP address ranges.

4) Setup a dedicated Terminal Server box and then use method #1 except
the connection is to the Terminal Server, not their desktop computer.

There are other methods, but not as pretty.

We setup most offices with a VPN into a firewall appliance, then limit
them to their workstation or the terminal server and to specific ports
needed to reach those, which means that a home users compromised
computer (viruses) can't spread to the office computer (since we don't
allow all ports via VPN and we don't allow mapping of drives in a RD
session).



.

Relevant Pages

  • Re: router - firewall
    ... Adzap, VPN, OpenSwan, ... > connections several ways: ... > the connection is to the Terminal Server, ... > We setup most offices with a VPN into a firewall appliance, ...
    (microsoft.public.windows.server.sbs)
  • RE: Low budget VPN?????
    ... Setup RRAS to allow VPN connections and make sure it's working. ... Setup RRAS to allow connections to Terminal Server (TCP port 3389) from only ...
    (Security-Basics)
  • Re: Industry Standard Security and guest wifi access best practice
    ... with IPSEC VPN clients has not been positive. ... Then they probably won't support other forms of security. ... to switch all connections into SSL mode. ... Use WPA to encrypt wireless traffic, ...
    (alt.internet.wireless)
  • Re: VPN between office and Home
    ... Hard Drive as my second location backup for my SBS2003. ... On the XP box at home, go to Control Panel -> Network Connections. ... for my second location backup my main server files. ... That is why I want to get a VPN ternnel instead of client VPN or RWW. ...
    (microsoft.public.windows.server.sbs)
  • Re: DNS resolution order with multihomed host
    ... I'll try with the VPN ... >> public through Internet. ... > connections through PPTP are by private addresses and are encrypted. ... > need to be open for Active Directory. ...
    (microsoft.public.windows.server.dns)