Firewall, Antivirus, Spam, etc...

[BadDog]

I am just getting ready to upgrade to SBS 2003 premium. I intend to run the web server and exchange server from this box. I have a firewall which my lan is behind. I am wondering about firewall solutions for the SBS box. I want to leave the lan behind the existing firewall, and put the SBS box in front of the lan firewall but behind another firewall (a dmz).

Here's the thing, I want to have intrusion detection and prevention, spam filtering, antivirus, worm/trojan scanning and prevention. I am wondering about hardware vs. software solutions.

I have looked at some firewall appliances which provide all of the above, but it seems that you have to buy the provider's subscription service to keep the signature files up to date. I have no problems with that, although they are expensive.

I have also looked at spam filtering as a software solution integrated with Exchange (like GIF MailEssentials, and similar programs). The software solutions also offer antivirus, trojan/worm detection. I also understand that you can set up SBS's ISA 2004 Server to act as a firewall.

At this point I am thinking of buying a firewall appliance for intrusion detection and prevention, but using software solutions for spam filtering, antivirus, etc... and then once I figure out ISA 2004, implementing that in additoin to the hardware firewall.

With all that said, does anyone have any suggestions as far as a hardware firewall for this scenario (ie one that doesn't cost a fortune, but still has some decent capabilities, and doesn't necessarily require a subscription service) one that I can use for intrusion prevention? Or, do you think I should keep all the spam and virus filtering, as well as intrustion detection and prevention, on the firewall appliance (as opposed to integrating it with Exchange on the SBS box) Any recommendations as far as this intended configuration, or articles I can read for more info?

 

[markdmac]

SBS is not intended for placement in a DMZ. Why are you planning to do this?

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[BadDog]

I am probably using the wrong term (DMZ). If you read the rest of the question I think you will see that I am asking about possible firewall solutions.

 

[markdmac]

But you are saying you want to seperate your clients and the server by a firewall. That is a DMZ scenario.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[BadDog]

Yes. But my real question is about selection of a firewall solution. The server is a web server and exchange server. There is nothing else on it. The other computers on the lan are my personal network, not business. The lan is behind a wireless access point/firewall/DHCP server. I don't want to put the SBS behind that. I want to set up another firewall in front of the SBS. I am trying to select that solution. I would like to filter spam, viruses etc... as mentioned previously. I am trying to determine whether to use hardware or software for all that. I'm probably in the wrong forum for this question.

 

[TimRegester]

I would obtain a good dedicated SPI (Stateful Packet Inspection) Firewall. and place this between your server and the internet connection, if your SBS is acting as your firewall you should be able to add it to the DMZ and restrict the ports available to the outside world.

The firewall should cope with all the intrusion and detection and leave your SBS to do what it should be doing serving files and acting as your exchange server.

if your current WAP/firewall/dhcp server is robust enough and configurable enough then use that if you are not sure replace it with a more robust solution such as a Draytek box.

Remember keep it simple.

 

[BadDog]

Thanks for the tip. I was kind of thinking along that line and look at several firewall appliances in the last day or so. I just finished purchasing the Zyxel, Zywall 5 with Unified Threat Management (with the turbo expansion card). It looks like it is very robust and has a lot configurability. I also opted for a year of antivirus and intrusion detection/prevention. I will pick up a subscription to spam filtering as well. It sounds like it can handle all that, which means I don't have to purchase a seperate spam filtering program. With some of the other options I was looking at I had to do both (hardware and software) in order to accomplish all that. I am going to put the Zywall out front, then the SBS box, then the non-robust access point firewall, then my lan. The SBS box will have public ips in that I am using it for web services etc... I assume that will still work, or do I have to use private ip's and do port forwarding through the zywall in order to obtain the security I need? Obviously I will lock down all the ports except 80, 443, 25, etc.. I will use ISA server as well, once I figure that out. Although, I am guessing it wont be necessary since I am not using the SBS box as a gateway for the lan. Anyway, sorry for blathering on.

 

[LWComputingMVP]

Just to point out - SBS was intended to be managed in a VERY specific manner - using the wizards whenever and whereever possible. There should be little need to "figure out" ISA server as that should be managed using the wizards. Doing things manually can create problems.

 

[BadDog]

Good to know, particularly coming from the NT 4.0 world. I recall reading somewhere about the intricacies of configuring ISA manager and how it is somewhat complicated. It sounded like there was more to it than the wizards. But again, I haven't worked with it before, thus the comment about "figuring it out.

 

[TechSoEasyMVP]

BadDog,

You can't use an SBS in the way which you are suggesting. It cannot just be a web server and Exchange server (in fact it does not make a very good web server anyhow).

As lwcomputing mentioned, it is intended to be deployed in a very specific manner. The design is to be the center backbone of a LAN. If that is NOT your intent, then I suggest you find an alternate solution for your network.

Jeff
TechSoEasy

 

[victorl]

This question is along the same lines, and I understand that SBS 2003 is intended to work a certain way, but we are a small company, and I have to manage a lot of these things myself.

We have been using SBS 2003 for a couple of years behind a firewall product. We've had the firewall product since before the SBS, and like how well it works. The SBS server only had one LAN interface, and therefore had its firewall turned off.

Now, I want to add a wireless router to the whole thing, but wanted to place it between the firewall and the SBS, and activate the SBS firewall. This seemed like a good idea since 1) it would require wireless clients to use VPN to access the network behind SBS, and 2) keep my wireless clients behind a firewall, giving some protection.

Is this a supported scenario for SBS 2003? I installed a second NIC, and was hoping to be able to get this to work. However, I couldn't, and now that I think about it, I had both NICs on the same subnet (192.168.1.x)

If I were to keep the LAN side NIC to that subnet, and then change the "ISP" side to 192.168.0.x, would this work? How would I have to configure the SBS to allow traffic from behind the 192.168.1.x subnet to get through to the Internet? Previously, we had them go through the firewall, but it seems that with the new setup, we'd have to have all the client computers go through the SBS's 192.168.1.x address. Am I doing this right?

Thanks,

victorl

 

[TechSoEasyMVP]

You really should post this as a new question rather than tagging on someone elses... otherwise it never quite sorts right.

Jeff
TechSoEasy