Where to put my multiple servers?????

Discussion in 'Server Networking' started by Joe K., May 3, 2004.

  1. Joe K.

    Joe K. Guest

    I have a network going in from scratch with the following. T1 line with multiple available IP's. 1 Win2003 SBS from e-mail, file & print sharing. 1 - Win2003 Server (member server) as a Terminal server in application mode. 1 - Win2003 server web edition (member server) as a web/streaming media srever. There is going to be 22 client (All XP Pro) machines in house some using LAN only (training room) and the others running application from the TS along with e-mail & file & print daily routines. There will be 5 clients that log ito the TS remotely for applications & file access on the LAN. All remote machines will have 2000 or XP pro. I will have a Sonicwall 2040 (1) WAN Port, (1) LAN 10/100 Port, (2) additional 10/100 Ports with DMZ capabilities. I am figuring that I should have the e-mail server behind the firewall with ports forwarded for the mail, the same with the terminal server having 3389 forwarded and have the web server in the DMZ with a real IP. Any feedback is appreciated. I only want to do this once so I figured I would throw it out there for discussion. Thanks very much in advance
    Joe K.
     
    Joe K., May 3, 2004
    #1
    1. Advertisements

  2. Joe K.

    Roland Hall Guest

    in message
    : I have a network going in from scratch with the following. T1 line with
    multiple available IP's. 1 Win2003 SBS from e-mail, file & print sharing.
    1 - Win2003 Server (member server) as a Terminal server in application mode.
    1 - Win2003 server web edition (member server) as a web/streaming media
    srever. There is going to be 22 client (All XP Pro) machines in house some
    using LAN only (training room) and the others running application from the
    TS along with e-mail & file & print daily routines. There will be 5 clients
    that log ito the TS remotely for applications & file access on the LAN. All
    remote machines will have 2000 or XP pro. I will have a Sonicwall 2040 (1)
    WAN Port, (1) LAN 10/100 Port, (2) additional 10/100 Ports with DMZ
    capabilities. I am figuring that I should have the e-mail server behind the
    firewall with ports forwarded for the mail, the same with the terminal
    server having 3389 forwarded and have the web server in the DMZ with a real
    IP. Any feedback is appreciated. I only want to do this once so I figured I
    would throw it out there for discussion. Thanks very much in advance.
    : Joe K.

    Since you're eluding to security issues, I have some questions.

    One firewall is your only protection and you're opening a port into your
    private network for mail? Also, you're only referring to perimeter
    protection. How will you defend against an overlap attack? What will you
    do to protect from attacks on the inside? How will you protect the company
    from infected rogue users probing, attacking, attempting to penetrate
    systems external to your network, knowingly or unknowingly? How will you
    allow connectivity to the Internet web server for internal users? What
    about content filtering, RTAV at the server, mail and local levels? Doesn't
    SBS 2003 come with ISA? Will that be utilized? If you have all W2K and XP
    Pro clients, why would you put overhead on your SBS Server for printer
    sharing when they support IP printing directly? How will you handle
    external DNS for your web server? Are you set with policies and procedures
    with full documented adherence so you can fully monitor your network so
    if/when those policies and procedures are breached, you can take action to
    protect your network?

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Online Support for IT Professionals -
    http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
    How-to: Windows 2000 DNS:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
     
    Roland Hall, May 3, 2004
    #2
    1. Advertisements

  3. That seems like a decent plan to me. I might not want to expose the TS to
    the outside like that though, but it is not the "end of the world" either
    way. I probably would rather use VPN. The Firewall can probably act as a VPN
    Server. Once the user connects via VPN, then they would connect to the TS
    machine using the normal Private IP#. But other than that I'm not seeing any
    problems jump out at me.
     
    Phillip Windell, May 3, 2004
    #3
  4. Some good questions here.
    I prefer Public Employee Beatings out on the front lawn when weather
    permists,..but if they are too infected I'm careful they don't bleed on me
    :)

    But on the serious side,..most firewall products are pretty good about not
    allowing oubound anything that you don't specifically allow.
    Good point about ISA, depending on how of if it is used can effect the whole
    topology design, subnetting, and physical layout.
    That's where that big o' paddle with the name written "network security
    device" on it comes in to play. ;-}

    That is something over looked a lot. In a lot of cases the management isn't
    even thinking in those ways and doesn't even want to support the IT people
    when it comes to enforcing it. It's pretty bad when even management people
    are the worst offenders and the IT guy is left on his own to figure out what
    to do about it.
     
    Phillip Windell, May 3, 2004
    #4
  5. Joe K.

    Joe K. Guest

    Phillip,
    Thank you for your input and answering the question(s) that I asked. I wasn't sure how to handle the other post ohter than to study for the quiz. I'm talking about a small company on a budget, not FedEX or Wal-Mart corporate offices. I like the front lawn idea. It's getting warmer out and others can enjoy the beatings as well duning lunch break, providing they aren't in their offices hacking other people's networks. Like you pointed out, mgmt says, make it work and don't spend more than X-dollars. External DNS can almost always be provided by the ISP as part of the service. An MX record here & an A record there, DNS is covered, mail & web flow.

    Thanks again.
     
    Joe K., May 3, 2004
    #5
  6. Well, the question are legit, but a lot of it is already covered by the
    default config of most Firewalls and some are less of an issue in smaller
    systems. Some other things you can decide which way to go after the "core"
    of the system is in place without having to redesign anything.

    I always follow the "keep it simple" idea, so my stuff ends up fairly secure
    on its own just because there isn't anything there to hack, then I only have
    to worry about protecting what actually is there.

    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com

    wasn't sure how to handle the other post ohter than to study for the quiz.
    I'm talking about a small company on a budget, not FedEX or Wal-Mart
    corporate offices. I like the front lawn idea. It's getting warmer out and
    others can enjoy the beatings as well duning lunch break, providing they
    aren't in their offices hacking other people's networks. Like you pointed
    out, mgmt says, make it work and don't spend more than X-dollars. External
    DNS can almost always be provided by the ISP as part of the service. An MX
    record here & an A record there, DNS is covered, mail & web flow.
     
    Phillip Windell, May 3, 2004
    #6
  7. Joe K.

    Joe K. Guest

    Agreed, it was just more ridiculing than helpful. And yes, the firwall comes with 10 concurrent VPN connections, more than will ever connect from outside at once. So that is deinitely the way to go for the TS. Thanks again for your input.
     
    Joe K., May 3, 2004
    #7
  8. Joe K.

    Roland Hall Guest

    :
    : :
    : Some good questions here.
    :
    : > do to protect from attacks on the inside? How will you protect the
    : company
    : > from infected rogue users probing, attacking, attempting to penetrate
    : > systems external to your network, knowingly or unknowingly?
    :
    : I prefer Public Employee Beatings out on the front lawn when weather
    : permists,..but if they are too infected I'm careful they don't bleed on me
    : :)
    :
    : But on the serious side,..most firewall products are pretty good about not
    : allowing oubound anything that you don't specifically allow.
    :
    : > about content filtering, RTAV at the server, mail and local levels?
    : Doesn't
    : > SBS 2003 come with ISA?
    :
    : Good point about ISA, depending on how of if it is used can effect the
    whole
    : topology design, subnetting, and physical layout.
    :
    : > external DNS for your web server? Are you set with policies and
    : procedures
    : > with full documented adherence so you can fully monitor your network so
    : > if/when those policies and procedures are breached, you can take action
    to
    : > protect your network?
    :
    : That's where that big o' paddle with the name written "network security
    : device" on it comes in to play. ;-}
    :
    : That is something over looked a lot. In a lot of cases the management
    isn't
    : even thinking in those ways and doesn't even want to support the IT people
    : when it comes to enforcing it. It's pretty bad when even management
    people
    : are the worst offenders and the IT guy is left on his own to figure out
    what
    : to do about it.

    Well said and don't you know the Employee Public Beatings is definitely a
    winner!

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
     
    Roland Hall, May 3, 2004
    #8
  9. Joe K.

    Roland Hall Guest

    in message
    : Phillip,
    : Thank you for your input and answering the question(s) that I asked. I
    wasn't sure how to handle the other post ohter than to study for the quiz.

    Joe...

    I apologize if it sounded like a quiz to you but it is relevant for all
    networks, budget permitting. If you do not show that you made a good faith
    effort to protect others from your network being compromised, then you can
    be held liable, even if you have a single computer.

    If you do not have policies and procedures in place and your email server
    gets infected, looking into other people's mail can get you sued for
    invasion of privacy.

    None of the questions I asked involve a great expense, but rather additional
    thought and preperation to help protect your users, your network, your job
    and limiting or eliminating some liabilities.

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Online Support for IT Professionals -
    http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
    How-to: Windows 2000 DNS:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
     
    Roland Hall, May 3, 2004
    #9
  10. Joe K.

    Roland Hall Guest

    : Well, the question are legit, but a lot of it is already covered by the
    : default config of most Firewalls and some are less of an issue in smaller
    : systems. Some other things you can decide which way to go after the
    "core"
    : of the system is in place without having to redesign anything.
    :
    : I always follow the "keep it simple" idea, so my stuff ends up fairly
    secure
    : on its own just because there isn't anything there to hack, then I only
    have
    : to worry about protecting what actually is there.

    Phillip...

    Please explain to me how a firewall protects against outbound traffic
    sending infected email after a user is compromised by a mass-mailing worm or
    how a firewall protects against a fragmented overlap attack when it only
    looks at the packet header. "Most" firewalls do NOT protect against this
    type of attack and host-based IDS and/or content filtering [ISA] is/are then
    required, possibly more.

    http://ftester.sourceforge.net/ftester.html

    Even if the firewall can be configured to only allow certain services, which
    is generally the work of a content filter, outbound, unless a MD5 checksum
    is used, rogue services using known services will not be stopped. The OP
    doesn't need to understand how it can happen, only that it can and that
    educating yourself is one of your best defenses against attack.

    This article at eEye introduces added security measures of an application
    firewall, in addition to firewall and IDS.

    http://www.eeye.com/html/Research/Papers/DS20010322.html
    Relative context:
    Traditional packet-filtering firewalls are able to block packets based on
    specific packet characteristics, such as TCP flags, source IP address,
    destination IP address, or TCP and UDP ports. They are able to stop packets
    that do not meet a certain configurable criteria. Even newer state based
    firewalls still only look at packet information contained in the IP, TCP, or
    UDP headers. They tend not to look at specific data contained in those
    packets beyond the headers, and tend not to discern anything related to a
    specific protocol. The other disadvantage of firewalls is that if they are
    used to protect public services, by the very nature of the services being
    public, they must be allowed access by the Internet at large.

    After all, the OP said, "I am figuring that I should have the e-mail server
    behind the firewall with ports forwarded for the mail, the same with the
    terminal server having 3389 forwarded..."

    This may not be deemed necessary when a limited budget is in effect but I
    always ask my customers one question when determining how much should be
    spent on security.

    How long can you be down?

    Security issues regarding a single point of presence are not based on the
    size of the local network. Cost is a variable for size but the security
    implications are the same.

    While a VPN is a good idea, it is not a full solution. MSFT found this out
    when a remote developer was compromised and opened up a VPN connection to
    source code within their network and thus providing a gateway for the
    attacker. The security worked as it should but the security model was
    broken because the remote user was not protected.

    Perhaps it is time for a little studying rather than relying on a false
    sense of security due to budget restraints?!

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Online Support for IT Professionals -
    http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
    How-to: Windows 2000 DNS:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
     
    Roland Hall, May 4, 2004
    #10
  11. Joe K.

    Roland Hall Guest

    in message
    : Agreed, it was just more ridiculing than helpful. And yes, the firwall
    comes with 10 concurrent VPN connections, more than will ever connect from
    outside at once. So that is deinitely the way to go for the TS. Thanks
    again for your input.

    Joe...

    My post was not meant to ridicule you and I apologize if that is the way it
    came off. However, you can poke fun and make comments all you want against
    me and my post but that will not provide any benefit to your network nor
    will it plug the holes in your security model.

    If you just wanted someone to blow smoke, you should have made that clear in
    the beginning. A 15 year old kid with a hard drive full of hacking
    utilities or an internet worm that erases track 0 sector 0 of your disk
    drive doesn't care how big your company is, how big your budget is or how
    unimportant your data is to anyone else, although it should be, in the very
    least, important to you.

    And, bringing up unknowns later in the discussion to make a point minimizes
    its effectiveness and makes it appear as if you're searching for answers.
    "Like you pointed out, mgmt says, make it work and don't spend more than
    X-dollars" A budget, while always a variable, was not introduced in your OP
    and has very little to do with the questions I posed.

    And this, "I wasn't sure how to handle the other post ohter than to study
    for the quiz.", makes this, "Any feedback is appreciated", a false
    statement.

    Good luck!

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Online Support for IT Professionals -
    http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
    How-to: Windows 2000 DNS:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
     
    Roland Hall, May 4, 2004
    #11
  12. I didn't say it protected against "every possible threat out there", I said:
    "....but a lot of it is already covered by the default...",
    ......a "lot" means a "lot", it doesn't mean all.

    Your example is covered by having a good AV protection system. No one is
    telling him to run without AV protection.
     
    Phillip Windell, May 4, 2004
    #12
  13. Joe K.

    Joe K. Guest

    Roland - Sorry, my bad - any HELPFUL feedback is appreciated, such as what Phillip did. What in God's name was i supposed to do with your security manual essay. I'm not poking fun at you or your post. I got nothing from that but a keyboard/tongue lashing and a bunch of complex (to me) questions that I am supposed to know the answers to??????. Why do you think I am here asking advice? Obviously my knowledge is this area is limited. I'm not here to match wits with anyone, just seek answers that help me learn and hopefully give some answers that help to others. I spend most of my days dealing with lesser knowledgeable people than myself (hard to believe huh) with their computer questions/problems. On most occaisions they commend me on my ability to help them without making them feel stupid by taking time & explaining what happened and how to correct it. I frimly believe - it's not what you say, it's how you say it. Don't take it so personal man, I merely made a comment to someone that was helping me understand something. You end up lashing out at him too, and he was defending you. This is not a contest. I hope to someday posess the extensive knowledge that you appear to posess, but for now I have to rely on my current abilities and help from others.

    --"And, bringing up unknowns later in the discussion to make a point minimize
    its effectiveness and makes it appear as if you're searching for answers.

    I am searching for answers.......that was the whole point in the beginning


    ----- Roland Hall wrote: ----

    in messag
    : Agreed, it was just more ridiculing than helpful. And yes, the firwal
    comes with 10 concurrent VPN connections, more than will ever connect fro
    outside at once. So that is deinitely the way to go for the TS. Thank
    again for your input

    Joe..

    My post was not meant to ridicule you and I apologize if that is the way i
    came off. However, you can poke fun and make comments all you want agains
    me and my post but that will not provide any benefit to your network no
    will it plug the holes in your security model

    If you just wanted someone to blow smoke, you should have made that clear i
    the beginning. A 15 year old kid with a hard drive full of hackin
    utilities or an internet worm that erases track 0 sector 0 of your dis
    drive doesn't care how big your company is, how big your budget is or ho
    unimportant your data is to anyone else, although it should be, in the ver
    least, important to you

    And, bringing up unknowns later in the discussion to make a point minimize
    its effectiveness and makes it appear as if you're searching for answers
    "Like you pointed out, mgmt says, make it work and don't spend more tha
    X-dollars" A budget, while always a variable, was not introduced in your O
    and has very little to do with the questions I posed

    And this, "I wasn't sure how to handle the other post ohter than to stud
    for the quiz.", makes this, "Any feedback is appreciated", a fals
    statement

    Good luck

    --
    Roland Hal
    /* This information is distributed in the hope that it will be useful, bu
    without any warranty; without even the implied warranty of merchantabilit
    or fitness for a particular purpose. *
    Online Support for IT Professionals
    http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tec
    How-to: Windows 2000 DNS
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;30820
     
    Joe K., May 5, 2004
    #13
  14. Joe K.

    Roland Hall Guest

    in message
    : Roland - Sorry, my bad - any HELPFUL feedback is appreciated, such as what
    Phillip did. What in God's name was i supposed to do with your security
    manual essay. I'm not poking fun at you or your post. I got nothing from
    that but a keyboard/tongue lashing and a bunch of complex (to me) questions
    that I am supposed to know the answers to??????. Why do you think I am here
    asking advice? Obviously my knowledge is this area is limited. I'm not
    here to match wits with anyone, just seek answers that help me learn and
    hopefully give some answers that help to others. I spend most of my days
    dealing with lesser knowledgeable people than myself (hard to believe huh)
    with their computer questions/problems. On most occaisions they commend me
    on my ability to help them without making them feel stupid by taking time &
    explaining what happened and how to correct it. I frimly believe - it's not
    what you say, it's how you say it. Don't take it so personal man, I merely
    made a comment to someone that was helping me understand something. You end
    up lashing out at him too, and he was defending you. This is not a contest.
    I hope to someday posess the extensive knowledge that you appear to posess,
    but for now I have to rely on my current abilities and help from others.
    :
    : --"And, bringing up unknowns later in the discussion to make a point
    minimizes
    : its effectiveness and makes it appear as if you're searching for answers."
    :
    : I am searching for answers.......that was the whole point in the
    beginning.

    Joe...

    Thanks for your response. My original questions were posed because IMHO, I
    think they are relevant. I understand and appreciate the decision maker is
    generally not the person performing the work and this can and will limit
    numerous possibilities to add layers of protection to the network, not to
    mention budgeting.

    I'm really not here to compete with anyone nor am I trying to talk down to
    you. It was my intention to point out many areas where I see holes in the
    security model. I cannot obtain your level of knowledge of network security
    in a single post nor would I attempt to. I have no way of knowing why
    certain areas, again IMHO, seem to be missing from the plan.

    Again, I apologize for making you feel uncomfortable when my goal was to
    bring attention to certain areas for the possibility of discussion to help
    you devise a more secure model. Apparently my assumption was incorrect and
    your post should have been taken at face value to just answer a simple
    question without applying your setup to the network infrastructure as a
    whole.

    As for Phillip, he is quite helpful. I've read many of his posts. However,
    when I read something that contradicts the way I understand something to
    work, I want to find out if the problem is my understanding or his. We both
    cannot be right and I prefer having the correct answer so if I am wrong,
    then I would like it explained so I will hopefully not make the same mistake
    in the future.

    Regards,

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Online Support for IT Professionals -
    http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
    How-to: Windows 2000 DNS:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
     
    Roland Hall, May 5, 2004
    #14
  15. Joe K.

    Roland Hall Guest

    : : > Please explain to me how a firewall protects against outbound traffic
    : > sending infected email after a user is compromised by a mass-mailing
    worm
    : or
    : > how a firewall protects against a fragmented overlap attack when it only
    :
    : I didn't say it protected against "every possible threat out there", I
    said:
    : "....but a lot of it is already covered by the default...",
    : .....a "lot" means a "lot", it doesn't mean all.
    :
    : Your example is covered by having a good AV protection system. No one is
    : telling him to run without AV protection.

    I'm sorry Phillip. Perhaps my long-winded response was confusing. Yes, I
    agree RTAV can help to a degree, but only where a known mass-emailing worm
    is concerned. I was more interested in what you appeared to be saying about
    "most" firewalls protecting outbound traffic. Would you please expand on
    that particular area and possibly list some firewalls you are aware of that
    offer this level of protection, either by default or customization. Also,
    would you know if they can differentiate between known applications and
    impersonated applications where it is my understanding an MD5 checksum could
    be utilized?

    Thanks.

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Online Support for IT Professionals -
    http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
    How-to: Windows 2000 DNS:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
     
    Roland Hall, May 5, 2004
    #15
  16. Sure, but there really isn't that much to it.

    Our Watchgaurd box for example running default right out of the box will
    allow nothing outbound or inbound at all. You have to specifically allow
    what you want the users to be able to use (http, smtp, ftp, etc). If you
    don't go out of your way to do that then it won't happen. Our ISA Server
    works the same way. To my knowledge both products examine the packets
    "statefully" to compensate for random source ports and to verify that an
    incomming packet is actually part of a session that was initiated from the
    inside.

    Even the older Proxy2 follows the same pattern although it's level of
    "statefullness" in examining packets may be less, but since most attacks
    don't use that method I don't consider that a severe problem. Most attacks
    now-a-days are buffer overflows of some type that attack the listening
    Application directly and a firewall will never stop that if the Application
    is actually supposed to be listening to the outside. Applications themselves
    need to be securely configured (or patched) so that they stand securely on
    their own.

    Now and infected user with a mail worm,..yes, if they have SMTP abilities
    the worm could spread, but that is why on the 8th day God created Anti-virus
    products ;-). Just as there are "blended threats" there is also "blended
    protection" and I don't believe anyone should place all their eggs in one
    basket of protection. People have a habit of thinking that a firewall is
    some magical super-device that can protect them from anything from a hacker
    to a virus to a runny nose.
     
    Phillip Windell, May 5, 2004
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.