From 1 to 5 public IPs, what do I do now?

[judaster]

Hello everybody and thanks for reading my post !

First let me say that I'm a total networking noob :-(

We've just changed to a new ISP to get a 2mbps/2mbps shdsl IP access. They have provided us with 5 public IPs, and I don't know what to do with them and how to manage them.

In our new facilities, we've been working for a few weeks using a cheap ADSL connection (we still have it but this will be replaced by the new SHDSL), the router had one public IP and all the LAN (workgroup) computers where connected to the Internetm (all auto).

Right now we have 15 workstations, but in a couple of weeks 15 more will come. We've already bought one server and the Small Business Server 2008 OS.

This is the hardware we have now:

Cisco 800 series router (we can't manage it, the ISP will do it, all the ports are open)
Cisco 3560G (24ports) switch
Dlink (don't know the model, but it's an old and cheap one) 24 ports switch

I have too many questions but the main thing is: What router settings do my ISP have to set in the router?. I guess I'll have to use NAT to privide Internet connection to the workstations using one of the public IPs?. I'll need these extra IPs for VPN and the Exchange Server right?. Do I have to purchase a firewall to protect the LAN and the NAT conversion?

As you can read I'm lost

Thanks

Jud

 

[eibgrad]

I'm curious, is that 2mbps per public IP, or 2mbps shared across ALL public IPs?

For the sake of argument, I’m going to assume each public IP provides 2mbps, otherwise it doesn’t really matter all that much if you have one public IP or 1000 public IPs since under most circumstances you’ll want the protection of a router and NAT firewall anyway. In fact, I’m not sure if the Cisco router you mentioned is even relevant if it’s managed by the ISP and is NOT NAT’d. It’s like finding out my own ISP at home is using a Cisco 800. So what? Unless there’s something else about that Cisco 800 that’s not been disclosed, you can pretty much pretend it doesn’t exist, at least for the purpose of working out your own network architecture.

So it just boils down to how to manage 5 public IPs rather than 1 public IP. And again, only important if each public IP represents a 2mbps data pipe. Now it’s about distributing those data pipes efficiently and effectively among your various departments.

What I would do immediately is consider a multi-WAN router of your own so you can centralize management of all those public IPs (route as necessary, bond to increase bandwidth, perhaps on a scheduled basis, etc.). Frankly, I wish the ISP was making that available to you directly, but if you must purchase it separately, so be it. Of course, you could build your own solution on top of a Windows or Linux server, but that could be a bit overwhelming if you’re not familiar w/ the process.

To me that’s the key. All the rest of it is just deciding the distribution policies regarding bandwidth and segregating the local IP space(s) as necessary (e.g., perhaps you need physical separation between departments using downstream routers and multiple subnets). But that’s beyond the scope of anything I could do here since YOU understand those details far better than I do. I can only help you enforce those policies w/ the help of technology once you tell me the policies.

 

[eibgrad]

P.S. wrt VPN and Exchange, it's not obvious to me you need to expose these within the public IP space, esp. the latter. You should always treat the public IP space w/ great skepticism. However, I could see the convenience and simplicity of managing a VPN on a pubic IP, w/ firewall, and no NAT since it’s a remote access issue anyway. And remote access is always a lot easier when you can avoid NAT.

 

[judaster]

Thank you very much for your answer eibgrad!

The 2mbps is shared across all public IPs

Do you mean that I should buy a firewall appliance to provide protection and NAT?, so I shouldn't talk to the ISP to make any changes in the router and buy that piece of hardware to be independent?, that would be great, but then will I be able to use these other extra IPs for other things like the videoconference system, or the Exchange server?... I'm sorry I have too many doubts.

Have a great day!

Jud

 

[eibgrad]

Thank you very much for your answer eibgrad!

The 2mbps is shared across all public IPs

Do you mean that I should buy a firewall appliance to provide protection and NAT?, so I shouldn't talk to the ISP to make any changes in the router and buy that piece of hardware to be independent?, that would be great, but then will I be able to use these other extra IPs for other things like the videoconference system, or the Exchange server?... I'm sorry I have too many doubts.

Have a great day!

Jud

I don't know the relationship between you and your ISP. If it's like my own, it's pretty much an arm’s length one. I have no control over their equipment, and vice versa. They agree to leave my ports open, no firewalls. They're nothing more than a conduit to the Internet. From that point on, all the responsibility lies w/ me to protect my own internal network.

In general, you want to minimize your exposure to the public IP space. For one thing, those machines on the public IP space are not on your own local network (well, unless they multiple network adapters). The only protection they have from malware, DoS (Denial of Service) attacks, and whatever other evils await them, is what they have installed and properly configured on their own machines. It’s just not what you normally want to do. The default should be to place all your machines behind a router YOU CONTROL EXCLUSIVELY within the safety of a local IP space (e.g., 192.168.x.x). You only want to expose machines w/ a public IP (i.e., directly to the Internet) when necessary. By necessity, everyone has at least one machine/device exposed; your Internet router. Beyond that, if you can’t explain WHY any other machine should/needs to be exposed similarly to the public IP space, then it shouldn’t. I gave one example of where it might make sense; a VPN server for remote access (but even then such services can often be integrated into the Internet router).

So here you sit w/ 5 public IPs, all sharing a combined 2mbps. As I said before, if you’re not going to get any advantage from having multiple public IPs except, well…, having multiple public IPs, what’s the point? Give me the argument for multiple public IPs in a business environment. I can think of some advantages for home users. For example, I have ppl on this forum wanting to use PC and console games with MULTIPLE players behind a NAT router. That’s almost impossible to do unless you have multiple public IPs. They MUST be exposed to the public IP space so each player can be differentiated (behind a NAT router they appear to be one and the same, that’s a problem).

Don’t get me wrong, I’ll take the public IPs if I can get them. But they’re usefulness remains to be determined. A VPN (for remote access) is one possibility since that involves issues similar to the gaming scenario I discussed above. Both involve unsolicited INBOUND requests to your local network.

Let’s consider the Exchange server. What advantage does a public IP give the Exchange server over a local IP behind your Internet router? On the face of it, nothing comes to mind. It’s completely accessible to the clients of your local network and it has access to the Internet to both send and receive mail through your Internet router. So what’s not to like?

Video conferencing? Depends on what video conferencing system(s) you plan to use. Most will probably work just fine behind your Internet router (if they didn’t, they’d be out of business). Many use features like a rendezvous server and NAT traversal to make dealing w/ your router’s firewall a non-issue.

IOW, I don’t see (as yet) the fact you have multiple public IPs all that different in terms of your local network architecture than if you have but ONE public IP. Not yet anyway. So you should just approach the design of your local network with that in mind. And if you run into a particular problem being behind a NAT router, well, at least you have several public IPs available and perhaps dole them out on an as-needed basis.

The impression I got from your initial post was that somehow moving from one pubic IP to many public IPs had rewritten the book on what you should do. I’m not convinced that’s the case. That’s why I asked if perhaps those public IPs might each have 2mbps each. NOW you would have other concerns (load balancing, failover, bonding, etc.).

 

[judaster]

I don't know the relationship between you and your ISP. If it's like my own, it's pretty much an arm’s length one. I have no control over their equipment, and vice versa. They agree to leave my ports open, no firewalls. They're nothing more than a conduit to the Internet. From that point on, all the responsibility lies w/ me to protect my own internal network.

In general, you want to minimize your exposure to the public IP space. For one thing, those machines on the public IP space are not on your own local network (well, unless they multiple network adapters). The only protection they have from malware, DoS (Denial of Service) attacks, and whatever other evils await them, is what they have installed and properly configured on their own machines. It’s just not what you normally want to do. The default should be to place all your machines behind a router YOU CONTROL EXCLUSIVELY within the safety of a local IP space (e.g., 192.168.x.x). You only want to expose machines w/ a public IP (i.e., directly to the Internet) when necessary. By necessity, everyone has at least one machine/device exposed; your Internet router. Beyond that, if you can’t explain WHY any other machine should/needs to be exposed similarly to the public IP space, then it shouldn’t. I gave one example of where it might make sense; a VPN server for remote access (but even then such services can often be integrated into the Internet router).

So here you sit w/ 5 public IPs, all sharing a combined 2mbps. As I said before, if you’re not going to get any advantage from having multiple public IPs except, well…, having multiple public IPs, what’s the point? Give me the argument for multiple public IPs in a business environment. I can think of some advantages for home users. For example, I have ppl on this forum wanting to use PC and console games with MULTIPLE players behind a NAT router. That’s almost impossible to do unless you have multiple public IPs. They MUST be exposed to the public IP space so each player can be differentiated (behind a NAT router they appear to be one and the same, that’s a problem).

Don’t get me wrong, I’ll take the public IPs if I can get them. But they’re usefulness remains to be determined. A VPN (for remote access) is one possibility since that involves issues similar to the gaming scenario I discussed above. Both involve unsolicited INBOUND requests to your local network.

Let’s consider the Exchange server. What advantage does a public IP give the Exchange server over a local IP behind your Internet router? On the face of it, nothing comes to mind. It’s completely accessible to the clients of your local network and it has access to the Internet to both send and receive mail through your Internet router. So what’s not to like?

Video conferencing? Depends on what video conferencing system(s) you plan to use. Most will probably work just fine behind your Internet router (if they didn’t, they’d be out of business). Many use features like a rendezvous server and NAT traversal to make dealing w/ your router’s firewall a non-issue.

IOW, I don’t see (as yet) the fact you have multiple public IPs all that different in terms of your local network architecture than if you have but ONE public IP. Not yet anyway. So you should just approach the design of your local network with that in mind. And if you run into a particular problem being behind a NAT router, well, at least you have several public IPs available and perhaps dole them out on an as-needed basis.

The impression I got from your initial post was that somehow moving from one pubic IP to many public IPs had rewritten the book on what you should do. I’m not convinced that’s the case. That’s why I asked if perhaps those public IPs might each have 2mbps each. NOW you would have other concerns (load balancing, failover, bonding, etc.).

Thank you SO MUCH !. Your explanation is gold to me. I'll get a good router or a hardware firewall to protect my network and provide NAT, and of course I'll use only ONE public IP for now !

Have a great weekend

 

[gtvr]

Get a good firewall. It will provide you with the ability to control access to your LAN, plus a DMZ for when you are ready for it.

With public IP addresses, expect a constant barrage of probes and hack attempts. Until you know what you are doing, I would set the firewall to deny all inbound connections. Don't even respond to pings. Make it look like those addresses aren't there.

Either get someone who knows networking, or learn it really well, before you let anything it. That includes security, intrusion detection, and the like. You don't want to open a port to your web server, have someone compromise that, and have them own your network. Hackers are SOPHISTICATED these days, you need to be too. Maybe even consider hosted web services.

At a previous company, our inbound email filtered through their gateway and spam filter before it got to us. That did things like cache inbound email in case our server went down.

 

[judaster]

Thak you gtvr.

As you advice, we should buy a firewall.

I've understood that my ISP gave as 5 public IPs, and I only need one now, I have to use NAT to provide Inernet connection to all my network. I've spent some time browsing the web looking for a good firewall, and I finished selecting this two models:

NETGEAR ProSafe VPN Firewall 200 FVX538

or the

ZyWALL USG 200

I belive they will provide us with all what we need:

NAT
Firewall
QoS
VPN

So the configuration will be something like ISP Cisco 800 (black box to me) + firewall + switch

I guess i'll have to connect the Cisco to my router/firewall using one of the WAN inputs right? and the firewall will do the DHCP. When the Internet works for all the LAN computers, I'll start setting up the server, then the server will provide the DHCP service. And when everything works, it will be time to install the Exchange... I'm learning a lot of things, and it's a great challenge to me to set everything up. Thanks everybody you are helping a lot !

 

[gtvr]

Sounds fairly accurate. Have you read reviews on those firewalls? Quick search on google showed the netgear getting some low reviews for tech support. I have some experience with the sonicwall pro devices, but they are a bit pricier.

Good luck. Make sure you have a good BACKUP solution for your network - file server, email server, database (if/when).