Sign in with
Sign up | Sign in
Your question

Yet another which firewall? question

Last response: in Networking
Share
Anonymous
September 15, 2005 12:54:51 PM

Archived from groups: comp.security.firewalls (More info?)

I appreciate that this question must get asked ad nauseum but here
goes...

Scenario
==========

We currently use 2 x ISA 2000 servers and the RainWall clustering
software to connect our office to the Internet via a 2 Mb leased line.


On the LAN are 2 x web servers running IIS and MDaemon. The web
servers connect to database servers running MS SQLServer. These
database servers in turn connect to another database server to run
certain stored procedures, so it's like this:

Internet - ISA Servers - IIS Servers - SQL Servers - SQL Server

The web servers run in-house developed e-commerce software that's used
by internal and external users. There are about 150 users of the web
site, divided equally between internal and external users.

Users who access the IIS Servers via the Internet do so via http and
https only. The only other potential port that needs opening up is
smtp.

I'm considering separating out this e-commerce traffic from web surfing
etc by buying an ADSL connection and directing such non-business
critical traffic through it, leaving the leased line for the web
servers.

With two Internet connections comes the need for, potentially, two
firewall solutions. The ISA servers provide VPN access to remote users
and we also have SurfControl running on them. It seems that they might
be best left to serve the ADSL line while the leased line has a
hardware firewall attached to protect the web servers. No need for
added extras like VPN access on the leased line firewall.

We don't currently have a DMZ. That's because currently the web
servers access copy documents from a file server to a temporary session
area on the web server using a UNC connection before displaying their
contents to the web users. The thinking is that such a large hole
would need to be made in the firewall to allow this shared directory
via UNC access that it makes the DMZ rather pointless. In due course,
the plan is to use web services to copy the document files to the web
server. Apparently this would mean that the file sharing hole could be
sealed.

Eventually I'd end up with something like this:


ADSL - ISA Servers - Web browsers

Leased Line - Appliance Firewall - IIS Servers
|
|------------ SQL Servers - SQL Server


Questions
=========

So, my questions:

1. Does the idea of separating essential from non-essential Internet
traffic make sense? It would give us some redundancy too.

2. Do you think I should use the two clustered ISA servers for the ADSL
connection and use a hardware firewall for the leased line traffic?

3. My understanding of a DMZ is that it should contain servers that are
accessed by the LAN and Internet. The IIS servers should clearly be in
the DMZ. How about the SQLServer servers? Given they are not accessed
directly by the Internet but via the IIS servers, should they be kept
on the LAN?

4. What firewall would be suitable? It strikes me that the price of
firewalls with DMZ rises dramatically. I also end up paying for VPN
capabilities which I don't need.

More about : firewall question

Anonymous
September 15, 2005 11:23:48 PM

Archived from groups: comp.security.firewalls (More info?)

Paul Welsh <pwelsh@uk2.net> wrote:
> We currently use 2 x ISA 2000 servers and the RainWall clustering
> software to connect our office to the Internet via a 2 Mb leased line.

Sincere condolences. ;-)

> On the LAN are 2 x web servers running IIS and MDaemon. The web
> servers connect to database servers running MS SQLServer. These
> database servers in turn connect to another database server to run
> certain stored procedures, so it's like this:
> Internet - ISA Servers - IIS Servers - SQL Servers - SQL Server
> The web servers run in-house developed e-commerce software that's used
> by internal and external users. There are about 150 users of the web
> site, divided equally between internal and external users.
> Users who access the IIS Servers via the Internet do so via http and
> https only. The only other potential port that needs opening up is
> smtp.
> I'm considering separating out this e-commerce traffic from web surfing
> etc by buying an ADSL connection and directing such non-business
> critical traffic through it, leaving the leased line for the web
> servers.

No problem so far (with the small exception, that you're using security
software from Microsoft of all the possible vendors.

> With two Internet connections comes the need for, potentially, two
> firewall solutions. The ISA servers provide VPN access to remote users
> and we also have SurfControl running on them. It seems that they might
> be best left to serve the ADSL line while the leased line has a
> hardware firewall attached to protect the web servers. No need for
> added extras like VPN access on the leased line firewall.

You should think about a network zone concept first. Perhaps it's a
good idea to start with the classical three zone concept.

> We don't currently have a DMZ.

Change that.

> That's because currently the web
> servers access copy documents from a file server to a temporary session
> area on the web server using a UNC connection before displaying their
> contents to the web users.

This is very ugly.

> 1. Does the idea of separating essential from non-essential Internet
> traffic make sense?

Yes.

> 2. Do you think I should use the two clustered ISA servers for the ADSL
> connection and use a hardware firewall for the leased line traffic?

No. I think, you first should start to design a zone concept, before you're
thinking about anything else.

> 3. My understanding of a DMZ is that it should contain servers that are
> accessed by the LAN and Internet. The IIS servers should clearly be in
> the DMZ. How about the SQLServer servers?

That depends.

> 4. What firewall would be suitable? It strikes me that the price of
> firewalls with DMZ rises dramatically. I also end up paying for VPN
> capabilities which I don't need.

Try to think about Free Software. It's not only free as in free speach,
but good in pricing also.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 19, 2005 7:31:59 PM

Archived from groups: comp.security.firewalls (More info?)

Thanks for the comments, Volker. Any recommendations regarding open
source firewall software?
Related resources
Anonymous
September 20, 2005 10:48:06 AM

Archived from groups: comp.security.firewalls (More info?)

Paul Welsh <pwelsh@uk2.net> wrote:
> Any recommendations regarding open
> source firewall software?

Because I have good experiences with netfilter, but also with pf,
I don't want to recommend one before the other. Both work very good,
and it's easy to use them.

http://www.benzedrine.cx/pf.html
http://www.netfilter.org/

I don't have much experience with other open source firewall software
beside Linux ipfw, and I think, netfilter is a good successor. But
FreeBSDs ipfw looks good, for what I'm reading and hearing.

My experiences with BSDs ipf are too long ago, that I could tell too
much about recent releases.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 21, 2005 9:35:03 AM

Archived from groups: comp.security.firewalls (More info?)

There are opensource based softwares like gajshield -
www.gajshield.com, Astaro - www.astaro.com. They provide good security
and the prices are also affordable.
Volker Birk wrote:
> Paul Welsh <pwelsh@uk2.net> wrote:
> > Any recommendations regarding open
> > source firewall software?
>
> Because I have good experiences with netfilter, but also with pf,
> I don't want to recommend one before the other. Both work very good,
> and it's easy to use them.
>
> http://www.benzedrine.cx/pf.html
> http://www.netfilter.org/
>
> I don't have much experience with other open source firewall software
> beside Linux ipfw, and I think, netfilter is a good successor. But
> FreeBSDs ipfw looks good, for what I'm reading and hearing.
>
> My experiences with BSDs ipf are too long ago, that I could tell too
> much about recent releases.
>
> Yours,
> VB.
> --
> "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
> deutschen Schlafzimmern passiert".
> Harald Schmidt zum "Weltjugendtag"
!