Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Network Design

From: "Justin F. Knox" <jknox () indexzero org>
Date: Tue, 26 Aug 2003 19:00:34 -0400
With a firewall set up like that, you're looking at 3 interfaces (inside,
dmz, outside). If you're looking for solution with excellent support, I'd
recommend Cisco's PIX 515E with 3DES license and an additional NIC (it's
only a 2-port solution by default). Another option is to use Checkpoint's
Firewall-1 on a Nokia device, but I'll admit that I'm not all that familiar
with that product. Other companies with firewall offerings are Netscreen and
Sonicwall, both offering decent devices.

Configuration concerns to keep in mind: if you're using Exch2k, you'll be
building a front-end server for OWA. This requires an additional exch2k
server license to do. It also requires a fair amount of ports to be opened
between the DMZ and the corporate LAN, so even though this server will be
behind the firewall, it would be a good idea to use iislockd.exe, and watch
its logs rather extensively.

FTP: what software were you going to run? you could use IIS for this, but
I'd hesitate to do so. Ipswitch offers a decent FTP server product.

Corporate LAN: How many servers are there? just one windows 2000 server with
all services on it?

The Cisco product is a good solid product. Some complain about having to use
a command line to work with them, but honestly they're not that bad once you
get accustomed to them. The PIX can operate as a VPN end-point, allowing
clients to connect to your internal lan (hence the 3DES license, DES comes
standard included now).

lastly, don't forget the AV software. There was a decent thread on AV softs
last month or so...I'd recommend Symantec, McAfee, or Trend

hope that helps, and good luck!
justin
-----Original Message-----
From: Jeff McClintock [mailto:lord_fiery () yahoo com]
Sent: Monday, August 25, 2003 3:51 AM
To: security-basics () securityfocus com
Subject: Network Design




Hello,  I've been tasked with creating my first ever network.  Definitely
exciting, but lots of stuff to know :)  Given that, I wanted to run this  by
you guys and get some opinions.  I work for a small firm of 20-25  employees
that use Windows 2000 and XP exclusively.  They are planning to  scale to a
maximum of 50 people within a year.  They have a full T1, and  want to have
an FTP server, VPN and OWA access.  Web hosting is done by  their ISP.  Does
this seem like a pretty secure set up for them:  Internet -> Firewall ->
(DMZ) FTP/OWA server (DMZ) -> DMZ Firewall ->  Corporate LAN (with Exchange,
employee machines, etc...)  If so, any rec's on firewalls for something like
this?  Since it's a  small firm, price is always an issue.  thanks jm

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: