Use DC as firewall/proxy???

[Orblivian]

Hi,

For the moment i'm using 1 W2K server with blackice/winproxy as FW/proxy with 2 nic (one net, one to a hub) and another w2k server as DC/DHCP/DNS. As I'm going to reinstall the server (w2k or w2k3) I would like to use only 1 server instead of 2. Would you recommend the situation to connect a DC directly to the net (with proxy & FW) or will it be a high risk for attacks?

thanx for you opinions.

 

[Orblivian]

Nobody has some experience with this question?

 

[wbg34]

I would keep the same basic set up that you have. Tasking 1 server with DC/DHCP/DNS/AD/routing and firewall is asking for trouble with both security and network performance.

 

[insl]

I'm not a big fan of installing any DC directly to the internet if it can be helped at all. In fact in this situation, why wouldn't your keep the existing topology if for nothing else than a "backup" to AD?

What we do is take a plain Jane stable PC, load with win2K pro, or XP pro, and use that as the gateway to the internet, and not have it participate in the Domain at all (not even joined). A little more secure...

 

[Orblivian]

Thx for your input. I'm always used to work this way, the Server connected to the net is a standalone server (not on domain). I prefer a server for security over a workstation.

The reason why I posted my question is for server consolidation. Connecting a DC to the net is a high risk, but I suppose some small companies use this option because they don't have a lot of pc's.

Maybe someone has some experience with M$ new virtual server option (like VMWARE). Is this a solution that could be applied or is this option just a big joke

 

[gkdog]

I had the same setup (also using Black Ice Defender which was not so secure). I always found it a pain to lose the internet etc when I was working on the server.
The best solution I found was to download a (25Meg) bootable CD called Smoothwall. It's in Linux but it's very simple to setup (I know nothing about Linux)
You load it on one of your old PC's with two NICs and it becomes your internet gateway (with a very secure firewall). It's accessible from any PC with a browser and you don't need to keep a mouse, keyboard or monitor attached.
You can then run your server as a pure server (with one NIC - which means you don't get a lot of those errors appearing in Event Viewer - Win Server 2K doesn't seem to like more than one network card).
It was the best thing I did on my network as it not only made it more secure but made everything faster.
It's got loads of features and you can even control it from a remote machine.

Good Luck .. GKDOG

 

[Orblivian]

Thx gkdog.
A linux freak always proposed me this option. You can find also floppy versions of linux FW. But same as you, I don't understand linux, even I'm born in the DOS period, so it's not that I don't like the command line OS. It's just that I don't know what to do if something goes wrong. If my FW/Proxy goes down, i'll recharge my ghost to the pc and the thing is healthy as hell.
I've heard Blackice server is quite secure, but I'm running Winproxy as proxy next to Blackice (and winproxy also has a FW included) so I hope this makes it some more secure. But anyway, if someone wants to break in, they always can. It's just that you have to make it as difficult as possible.