Jim, What I am try to figure out is what exactly is the safest configuration. What seems to be the last remaining question is whether I want to route all internet traffic through my single server or whether I should not.
Config 1 Firewall --->NT Server --> Hub Config 2 Firewall --->Hub -->NT Server What do folks out there think? -----Original Message----- From: Jim McAteeon >I think the most secure arrangement is to: > > 1. Replace router with hardware Firewall Solution (adding VPN at same > time > ::-)) You might not necessarily be able to replace your router. Depends a bit on the actual connection. For instance if you currently had a T1 and a Cisco router with a T1 CSU/DSU module then you'll still need the router to make T1 connection. Similarly, with DSL, you need a router capable of making the DSL connection. That said, there _are_ combo boxes that can terminate the connection, and act as router, firewall and VPN endpoint. > 2. Go from Firewall solution to NTServer running Firewall software If your server is truly "behind" the firewall on an internal network, you can dispense with running firewall software on the server itself. There probably aren't many shops running firewall software on things like file and print servers on their LAN. Only if the server is Internet-facing might you need to worry about this. But while defense in depth is a good philosophy, it can sometimes be a PITA to manage. For instance if you add a new service on some odd IP port then you need to open a hole through both your outer firewall and any software firewall on the server itself. Personally, if I thought I had a reliable hardware firewall between my Internet-facing servers _and_ I trusted my ability to administer the firewall then I wouldn't run a software firewall on any of those servers. > 3. Go from NTServer to rest of internal network. I'm not sure why you'd need to do this unless you need to use the server as a router. You probably should explain the nature of your connection and network a little better. Is it purely a web hosting network? Or a company LAN - with or without Internet-facing servers such as web and email servers? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193990 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
