I appreciate that this question must get asked ad nauseum but here goes...
We currently use 2 x ISA 2000 servers and the RainWall clustering software to connect our office to the Internet via a 2 Mb leased line.
On the LAN are 2 x web servers running IIS and MDaemon. The web servers connect to database servers running MS SQLServer. These database servers in turn connect to another database server to run certain stored procedures, so it's like this:
Internet - ISA Servers - IIS Servers - SQL Servers - SQL Server
The web servers run in-house developed e-commerce software that's used by internal and external users. There are about 150 users of the web site, divided equally between internal and external users.
Users who access the IIS Servers via the Internet do so via http and https only. The only other potential port that needs opening up is smtp.
I'm considering separating out this e-commerce traffic from web surfing etc by buying an ADSL connection and directing such non-business critical traffic through it, leaving the leased line for the web servers.
With two Internet connections comes the need for, potentially, two firewall solutions. The ISA servers provide VPN access to remote users and we also have SurfControl running on them. It seems that they might be best left to serve the ADSL line while the leased line has a hardware firewall attached to protect the web servers. No need for added extras like VPN access on the leased line firewall.
We don't currently have a DMZ. That's because currently the web servers access copy documents from a file server to a temporary session area on the web server using a UNC connection before displaying their contents to the web users. The thinking is that such a large hole would need to be made in the firewall to allow this shared directory via UNC access that it makes the DMZ rather pointless. In due course, the plan is to use web services to copy the document files to the web server. Apparently this would mean that the file sharing hole could be sealed.
Eventually I'd end up with something like this:
ADSL - ISA Servers - Web browsers
Leased Line - Appliance Firewall - IIS Servers | |------------ SQL Servers - SQL Server
So, my questions:
- Does the idea of separating essential from non-essential Internet traffic make sense? It would give us some redundancy too.
- Do you think I should use the two clustered ISA servers for the ADSL connection and use a hardware firewall for the leased line traffic?
- My understanding of a DMZ is that it should contain servers that are accessed by the LAN and Internet. The IIS servers should clearly be in the DMZ. How about the SQLServer servers? Given they are not accessed directly by the Internet but via the IIS servers, should they be kept on the LAN?
- What firewall would be suitable? It strikes me that the price of firewalls with DMZ rises dramatically. I also end up paying for VPN capabilities which I don't need.