Yet another which firewall? question

I appreciate that this question must get asked ad nauseum but here goes...

Scenario ==========

We currently use 2 x ISA 2000 servers and the RainWall clustering software to connect our office to the Internet via a 2 Mb leased line.

On the LAN are 2 x web servers running IIS and MDaemon. The web servers connect to database servers running MS SQLServer. These database servers in turn connect to another database server to run certain stored procedures, so it's like this:

Internet - ISA Servers - IIS Servers - SQL Servers - SQL Server

The web servers run in-house developed e-commerce software that's used by internal and external users. There are about 150 users of the web site, divided equally between internal and external users.

Users who access the IIS Servers via the Internet do so via http and https only. The only other potential port that needs opening up is smtp.

I'm considering separating out this e-commerce traffic from web surfing etc by buying an ADSL connection and directing such non-business critical traffic through it, leaving the leased line for the web servers.

With two Internet connections comes the need for, potentially, two firewall solutions. The ISA servers provide VPN access to remote users and we also have SurfControl running on them. It seems that they might be best left to serve the ADSL line while the leased line has a hardware firewall attached to protect the web servers. No need for added extras like VPN access on the leased line firewall.

We don't currently have a DMZ. That's because currently the web servers access copy documents from a file server to a temporary session area on the web server using a UNC connection before displaying their contents to the web users. The thinking is that such a large hole would need to be made in the firewall to allow this shared directory via UNC access that it makes the DMZ rather pointless. In due course, the plan is to use web services to copy the document files to the web server. Apparently this would mean that the file sharing hole could be sealed.

Eventually I'd end up with something like this:

ADSL - ISA Servers - Web browsers

Leased Line - Appliance Firewall - IIS Servers | |------------ SQL Servers - SQL Server

Questions =========

So, my questions:

  1. Does the idea of separating essential from non-essential Internet traffic make sense? It would give us some redundancy too.

  1. Do you think I should use the two clustered ISA servers for the ADSL connection and use a hardware firewall for the leased line traffic?

  2. My understanding of a DMZ is that it should contain servers that are accessed by the LAN and Internet. The IIS servers should clearly be in the DMZ. How about the SQLServer servers? Given they are not accessed directly by the Internet but via the IIS servers, should they be kept on the LAN?

  1. What firewall would be suitable? It strikes me that the price of firewalls with DMZ rises dramatically. I also end up paying for VPN capabilities which I don't need.

Reply to
Paul Welsh
Loading thread data ...

Sincere condolences. ;-)

No problem so far (with the small exception, that you're using security software from Microsoft of all the possible vendors.

You should think about a network zone concept first. Perhaps it's a good idea to start with the classical three zone concept.

Change that.

This is very ugly.

Yes.

No. I think, you first should start to design a zone concept, before you're thinking about anything else.

That depends.

Try to think about Free Software. It's not only free as in free speach, but good in pricing also.

Yours, VB.

Reply to
Volker Birk

Thanks for the comments, Volker. Any recommendations regarding open source firewall software?

Reply to
Paul Welsh

Because I have good experiences with netfilter, but also with pf, I don't want to recommend one before the other. Both work very good, and it's easy to use them.

formatting link
I don't have much experience with other open source firewall software beside Linux ipfw, and I think, netfilter is a good successor. But FreeBSDs ipfw looks good, for what I'm reading and hearing.

My experiences with BSDs ipf are too long ago, that I could tell too much about recent releases.

Yours, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.