No, I wouldn't route through the Windows server. The only times I'd consider using Windows as a router would be on a network where for some reason it's your only routing option, or if you wanted to run Microsoft's ISA Server as your firewall. I've never used it, but ISA can do some things that most firewalls cannot by integrating security with your NT domain. But this would be in the context of an office network with users behind the firewall, not a web hosting network.
http://www.microsoft.com/ISAServer/ You still haven't mentioned the nature of the network - perhaps it's just a theoretical question, but if the NT server is a web or email server and the network also has users and/or private servers, then you'll want to isolate the NT server in a DMZ. --> DMZ: Web & email servers / Internet --> router/firewall -- \ --> PRIVATE: LAN users and servers ----- Original Message ----- From: "Andy Ousterhout" <[EMAIL PROTECTED]> To: "CF-Talk" <cf-talk@houseoffusion.com> Sent: Wednesday, February 09, 2005 4:19 PM Subject: RE: Firewall question > Jim, > What I am try to figure out is what exactly is the safest configuration. > What seems to be the last remaining question is whether I want to route > all > internet traffic through my single server or whether I should not. > > Config 1 Firewall --->NT Server --> Hub > Config 2 Firewall --->Hub -->NT Server > > What do folks out there think? > > -----Original Message----- > From: Jim McAteeon > > >>I think the most secure arrangement is to: >> >> 1. Replace router with hardware Firewall Solution (adding VPN at same >> time >> ::-)) > > You might not necessarily be able to replace your router. Depends a bit > on the actual connection. For instance if you currently had a T1 and a > Cisco router with a T1 CSU/DSU module then you'll still need the router > to > make T1 connection. Similarly, with DSL, you need a router capable of > making the DSL connection. That said, there _are_ combo boxes that can > terminate the connection, and act as router, firewall and VPN endpoint. > >> 2. Go from Firewall solution to NTServer running Firewall software > > If your server is truly "behind" the firewall on an internal network, > you > can dispense with running firewall software on the server itself. There > probably aren't many shops running firewall software on things like file > and print servers on their LAN. > > Only if the server is Internet-facing might you need to worry about > this. > But while defense in depth is a good philosophy, it can sometimes be a > PITA to manage. For instance if you add a new service on some odd IP > port > then you need to open a hole through both your outer firewall and any > software firewall on the server itself. Personally, if I thought I had > a > reliable hardware firewall between my Internet-facing servers _and_ I > trusted my ability to administer the firewall then I wouldn't run a > software firewall on any of those servers. > >> 3. Go from NTServer to rest of internal network. > > I'm not sure why you'd need to do this unless you need to use the server > as a router. > > You probably should explain the nature of your connection and network a > little better. Is it purely a web hosting network? Or a company LAN - > with or without Internet-facing servers such as web and email servers? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193997 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
