I Need a firewall recommendation.

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
I Need a firewall recommendation.

I am setting up two 2003 standard edition web servers.
I am thinking I would be better off with a hardware firewall between
these servers and the internet.

The only services they will need to run are:
smtp 21
pop 110
htp 80
https 443
ftp 21
And remote desktop 3389 (I think)

Since there are two servers the firewall must have some way to route
incoming requests to the proper server.  For example lets say server's
1 domain name was domainTest1.com and server's 2 domain name was
domainTest2.com.  Requests for port 80 on the domain domainTest1.com
would be routed to the IP of server 1, and requests for port 80 on the
domain domainTest2.com would be routed to the IP of server2. The same
thing is required for the other services/ports.

1)    Do I need a hardware firewall if I am running 2003 standard
edition?
All unneeded services will be turned off including windows file
sharing.

2)    What hardware firewall you anyone recommend?
I was looking at the cisco 501 and 506e, but the traffic on these
servers is small, counted
in the hundreds of hits a day, not thousands.

Thanks.




Re: I Need a firewall recommendation.
User wrote:
Quoted text here. Click to load it

You can try if you'd like , sonicwall . i am pretty sure in the
sonicwall OS it will allow the user to set up multiple servers and route
properly, however using port 80 and having two servers on the same lan
using the same port i would think would be difficult only since i don't
even know how that can work. other then the firewall appliance routing
proerly which i think the sonicwall does. www.sonicwall.com and
www.sonicguard.com sells them for the lowest price I've seen. $289 for
the SonicWALL TZ150 and then the cost goes up from there.
www.sonicwall.com does have a demo you can try for free to log into a
virtual administration server and look at all the things it can do. It's
got one heck of an OS, the SonicOS is awesome in my opinion. So at least
this way you should be able to see if it will do exactly what you want.
The help system in the SonicOS is really good too in my opinion.


Re: I Need a firewall recommendation.
On Thu, 17 Feb 2005 19:31:49 +0000, User wrote:

Quoted text here. Click to load it

If you want to servers to serve pages based on domain names then you'll
need two IP addresses. A single server can serve many domain name pages
based on name, but a firewall will not direct site names between servers.
You will configure a public DNS record for each site, point the sites at
two IP addresses (one for each) and then create rules that map the public
IP to the proper server.

As for the rest, do you really want to allow POP to the server through the
Public connection? Are you trying to run a small web server that you sell
space on?

A proper firewall, like a WatchGuard Firebox 700 would protect your
investment properly.

If you want to go on the cheap then you could purchase one of the higher
end routers that permits multiple public IP addresses on the WAN port and
just forward to the proper LAN IP.

I would never put a MS machine directly on the Internet. I've installed
several hundred servers over the years, all MS, and never had a
compromised server - but I never use ISA and I never setup a server
directly connected to the Internet.



--
spam999free@rrohio.com
remove 999 in order to email me



Re: I Need a firewall recommendation.
I agree with Lythos, you simply CANNOT put a Windows machine on the
public internet.  Not that Windows is that bad of a product, just that
it isn' designed to be a "firewalled OS".

Do you really need two machines?  If all your running are websites with
mail ability, even a mid level machine will suffice.  As stated above
by someone else, with Apache you can redirect someone to another
website on the same IP by the requested DNS/URL

Example:

www.yourdomain.com = IP 192.168.10.10
www.yourotherdomain.com = IP 192.168.10.10

Apache will read the requested domainname and redirect the request to
the appropriate server instance.

Yes, Apache runs on 2003, and yes it is a bit more difficult than IIS,
and yes it has more features and is just as stable as 2003 will let it
be!

As far as the pop/smtp, that also could all reside on the same box.
Even easier than the Websites actually.

As far as firewalls go, m0n0wall (http://m0n0.ch/wall ) will do
everything you need, and then some.  It is free, will run from a
floppy/CD/compact flash/hd.  

JM2C

Good Luck!

Smooter



Re: I Need a firewall recommendation.
Leythos wrote:

Quoted text here. Click to load it

The newer sonicwalls have an intrusion prevention subscription service
available that inspects incoming tcp streams for known IIS exploits and
kills the connection if it looks as if an exploit is being attempted.
Works quite well in my experience.


Re: I Need a firewall recommendation.
User wrote:
Quoted text here. Click to load it


np - firewalls do that (if you tell them to).

Quoted text here. Click to load it

'need' is an interesting word.  I'd say you probably would be well
advised to use a hardware firewall based on what you've said so far.

Quoted text here. Click to load it

Are you sure?  and incidentally, do you need to disable anything at all
if you're servers are safely behind a good firewall?

Quoted text here. Click to load it

SnapGear 710 if you need rackmount or one of the cheaper units otherwise.

Only other comment I have is that two servers sounds overkill based on
what you've said so I must assume there is more to this project than
there seems.  Make sure whichever firewall you choose can handle the
throughput.

--
William Tasso


Re: I Need a firewall recommendation.
William Tasso wrote:
Quoted text here. Click to load it

Not the way he described. 1 outside IP address, 1 port (port 80) being
natted to two different IP addresses - which one it gets natted two
depending on the URL that was requested. Not to many firewalls do layer
7 aware natting like that.


Re: I Need a firewall recommendation.
On Thu, 17 Feb 2005 18:20:45 -0500, T. Sean Weintz wrote:
Quoted text here. Click to load it

That's my experience too.


--
spam999free@rrohio.com
remove 999 in order to email me



Re: I Need a firewall recommendation.
T. Sean Weintz wrote:
Quoted text here. Click to load it

Well slap me sideways with a kipper - I didn't read that inference at
all.  Would never have thought of wanting to do that.

/goes back to sleep
--
William Tasso


REPLIES TO EVERYONE, THANKS!
Here is a follow up to everyone's replies.

First a clarification.
The servers are dual xeon 2.88 machines so they are overkill as it is.
All the services listed will be running on ONE of the servers.
It will have one smtp/pop email server (Rockliff Mailsite) serving up
multiple email domains. And it will be running iis hosting different
web sites each with different IPs and ftp and remote admin. The
machine that is being replaced by this new one already has multiple
web sites and email domains as described - so I already know how to do
all this on one machine, but thanks for the informative replies
anyway…

The other server is running an app that uses one "weird" port, lets
say port 1234 and remote admin.

Joe
-----
I talked to the sonicwall folks and for a "low end" router the TZ170
looks pretty serious for a great price. And it will handle everything
I need to do here and the ability to filter spam/malware at the
firewall level (Macfee engine- would prefer the nod32 engine tho) is a
great feature. I am almost certainly going to go this route. Thanks
for the tip!

Leythos
-----------
You said - "do you really want to allow POP to the server through the
Public connection?"
Well yes. My company has a domain name that has emails associated with
it and I have users that need to read their email. I have had pop 110
open to the public for years now. Am I missing something here?

Smooter
http://m0n0.ch/wall looks cool!
I don't have the time to deploy this setup with something like that
but for future things like a better setup at the office putting an old
PIII 600mhz machine to use for something like that is an interesting
idea. Thanks for the tip.

William Tasso
-------------------
In response to my statement:
Quoted text here. Click to load it

You said:
"Are you sure?  and incidentally, do you need to disable anything at
all
if you're servers are safely behind a good firewall?"

Well here is why.
These two machines will physically be on the same LAN behind the
firewall.
I don't need file sharing between them. So I was thinking that if one
was compromised it would be better to turn off windows file sharing on
both machines to limit the possibility that the compromised machines
could be used to hack the second.
What do you think now that is clarified?


T. Sean Weintz
You said:
Not the way he described. 1 outside IP address, 1 port (port 80) being
natted to two different IP addresses - which one it gets natted two
depending on the URL that was requested. Not to many firewalls do
layer
7 aware natting like that.

Sorry for the somewhat vague first post.
Each web site/ ftp site will have DIFFERENT IP addresses.


------------------------------------------------------------------------------------------
So, right now it looks like theTZ170 unless further comments tell me
better.

This was my first post to this group.
It rocks!
Thanks everyone…



Re: REPLIES TO EVERYONE, THANKS!
User wrote:
Quoted text here. Click to load it

Well, it's always a good plan to turn off any and every unnecessary
service on any server for reasons of performance /and/ security.

I have set up many projects similar to that you described.  Usually, but
not always, I configure each server to be a functional duplicate of its
neighbour and make regular data transfers between them so that each is a
warm standby unit for the other.

With two NICs in each box, file sharing doesn't need to be available on
the public facing network.

--
William Tasso


Re: I Need a firewall recommendation.


Quoted text here. Click to load it

For SMTP(25), HTTP and HTTPS, this coudl be achived by inserting proxy
services, the protocol includes the hostname.

For POP, if you constrained the usernames to be of the form
bob@host1.example.com, there are some POP servers that can hand-off to
other pop servers.

For FTP you are stuffed. You could run int on different ports, and
route these differenrtly, but that might cause firewall problems for the remote
users.



Site Timeline