[autoenthusiast]

Quote:

Originally Posted by Samurai

They finally allocated a new range of IPs with 28bit mask, now I have 13 IPs available. Soon I will be moving all external servers to the new network.

Samurai, do you really want to do this ? Put your external servers directly with a public address on the public segment ? It's not a safe approach.

The best way of doing it is normally putting the servers on a DMZ zone. Depends on what you use, are you using a firewall ? If you are then you will be able to break up your zones based on your needs. The public zone shouldn't host anything, you should mainly use a DMZ zone with private addressing, you can then use NAT for the servers. As for your internal corporate environment, it would get listed as your internal network and you can use private addressing with PAT for Internet access via your lease line. You would also need to set the trust relationships appropriately on your firewall.

Servers with direct IP address on the public segment are always a strict no-no. There has to be a firewall separating them from the Internet, even if they are meant for public access. If you still want to have the public IP on the servers, you can always ask the ISP to have a /30 link segment and move the /28 or /29 subnet behind a firewall or a router, it's just the matter of them putting a route on their router.

[Samurai]

Well, the external servers are firewalls (ISA Server), few web servers with windows firewall enabled, and vonage IP phones that need public IP.

The configuration you suggest is little over my head considering my networking knowledge is pretty rudimentary. And I don't have a network engineer with me.

Quote:

Originally Posted by autoenthusiast

If you still want to have the public IP on the servers, you can always ask the ISP to have a /30 link segment and move the /28 or /29 subnet behind a firewall or a router, it's just the matter of them putting a route on their router.

I am a little curious about this statement. I am behind a router provided by Reliance.

[jkdas]

Quote:

Originally Posted by Samurai

The gateway takes away one.

Huh! I am using the range I was given, why should I care about the next range?

There are multiple SLA levels for 1:1, this is what I got for the price I am paying, good enough for me considering I am switching from ADSL.

Coz in some post you were asked to try with different mask.

Why did you got for 1:1 then? 1:4 should have worked fine and saved alot right?

Quote:

Originally Posted by Samurai

Well, the external servers are firewalls (ISA Server), few web servers with windows firewall enabled, and vonage IP phones that need public IP.

The configuration you suggest is little over my head considering my networking knowledge is pretty rudimentary. And I don't have a network engineer with me.

Would love so see a better firewall product than ISA on your perimeter.

As auto said, PAT or NAT you servers after you put them in DMZ.

[Thad E Ginathom]

This is serious network stuff, and serious network stuff needs serious firewall --- not software firewalls on the various machines on the network.

Your leased-line router should be connected to a dedicated firewall, and the rest of your network(s) connected to that only. I use to use Checkpoint, running on a Sun machine, and then on a dedicated Nokia machine. Expensive, but there are alternatives all the way down to free software running on a low-spec linux machine. My market knowledge is five years out of date now.

[Samurai]

Quote:

Originally Posted by jkdas

Would love so see a better firewall product than ISA on your perimeter.

Isn't ISA Server 2006 serious enough? This time I will be putting it on a VM with Win2003R2.

Quote:

Originally Posted by jkdas

Coz in some post you were asked to try with different mask.

That was just a hack, didn't work though, so I waited until they gave me new range with 28bit mask.

Quote:

Originally Posted by jkdas

Why did you got for 1:1 then? 1:4 should have worked fine and saved alot right?

Not really, 1:4 would not guarantee me the speed I need, while anything above 99% uptime is good enough for me.

I don't fully understand the advantage of a DMZ over my current setup. There, I said it.

[autoenthusiast]

Quote:

Originally Posted by mmmjgm

Hi Samurai,

My 2 cents of haggling and harrowing ISP experience (leased lines) at our offices. Tata or Direct Internet now as branded is good.

I agree, the best ISP today is TATA (they took over VSNL and it's now under the TATA umbrella)

[autoenthusiast]

Quote:

Originally Posted by Samurai

Isn't ISA Server 2006 serious enough? This time I will be putting it on a VM with Win2003R2.

I don't fully understand the advantage of a DMZ over my current setup. There, I said it.

My friend, don't even think of using that as a firewall if you are really concerned of security.
My suggestion is to use a proper hardware firewall, a Cisco PIX is one of the best (though a costlier option).
Internet servers doesn't mean the servers would need to be exposed on a public segment with a public IP address, you are throwing them open to all kinds of malicious attack on the Net.
A hardware firewall would have a minimum of 2 interfaces (1 public / 1 private), if you want to have web servers on the internet you also need a 3rd interface (Best practice), this 3rd interface would be used for your DMZ.
The way it would normally get connected is as below.
1. Outside firewall interface would get connected either directly to the router or via a dedicated small switch, having a switch is good for debugging purposes.
2. Inside firewall interface would get connected to you internal LAN
3. DMZ interface would get connected to a separate switch that's dedicated for the servers.
Next, you have the option to either use the subnet between the router/firewall and then use NAT for the subnet and map to the servers, and use PAT for Internet access for your internal segment. You can also put a /30 (2 IP subnet) between the router and the firewall, move the /28 subnet to the DMZ (you'd only need a route on the router for that subnet and point it to the firewall). Personally I'd go with the NAT option for hte servers, gives better security and more control.
Always remember, connecting to the Internet needs a proper design and someone who is experienced with deploying secure networks and good networking experience. If not you are prone to the weirdest of Internet attacks on your internal network.

[autoenthusiast]

Quote:

Originally Posted by Samurai

That was just a hack, didn't work though, so I waited until they gave me new range with 28bit mask.

Pls. don't try it, even if by fluke it did work you'd get into an issue later if the ISP routed the traffic correctly, your traffic would get going to the wrong IP address. Usually there would definitely be a route and it shouldn't work, also if the ISP is good enough, they'd have an access list on their router. Thirdly the router interface would have the IP on your segment with the correct subnet mask, it would downright discard wrong source IP packets coming to it ;-)

[Samurai]

Ok, I think it is time I learnt a little more about firewall/DMZ thingie. After some googling and stuff, I have enquired my hardware vendor for quotes for Cisco PIX 515e router.

I suppose this one allows both Microsoft and other popular VPN clients.

[autoenthusiast]

Quote:

Originally Posted by Samurai

Ok, I think it is time I learnt a little more about firewall/DMZ thingie. After some googling and stuff, I have enquired my hardware vendor for quotes for Cisco PIX 515e router.

I suppose this one allows both Microsoft and other popular VPN clients.

You are speaking my language now

I have always been a Cisco kinda guy. Yes they make the best firewalls out there. You'd need to look at 3 interfaces (1 private/public/DMZ).
I hope you have a good network guy to configure it all for you, any setup is only as secure as the skill of the one designing and configuring it.

[Samurai]

Quote:

Originally Posted by autoenthusiast

I hope you have a good network guy to configure it all for you, any setup is only as secure as the skill of the one designing and configuring it.

Well, you are talking to my network guy, me.

I have been configuring firewall/exchange/IIS since Microsoft Proxy Server 2.0, Exchange 5.5 and IIS 1.0 days. Now on ISA2006, Exchange2007 and IIS7. I also dabble with Avaya S8300 Site administation, but I am not the primary person.

Now I am planning to explore the Cisco PIX world.

[autoenthusiast]

Hmmmm, well in that case the best read is the Cisco CCSP PIX curricullum. The PIX is the best firewall out there in my opinion.

[Thad E Ginathom]

I no longer remember enough to follow every word of autoenthusiast's descriptions, but I do recall enough to be able to say that, in my view as an one-time systems manager, his approach is the correct approach. I really recommend that you follow his method.

I did not put our public facing mail server on a DMZ, but relied on NAT and firewall rules to protect it. However, the internet is a much more dangerous place now than it was just a few years ago, and I have not worked since early 2003.

[autoenthusiast]

Oh one other thing, I do know that the latest Cisco PIX IOS also supports vlan trunking on the interface, in that way you can use one interface for the different functions (DMZ/Outside).
It's been couple of years since I actually sat down with technical configurations but you can explore that option if you want to reduce cost on the PIX interfaces, though in my opinion nothing beats a physical separation with different interfaces (since in that way a vlan misconfiguration by a sys. ad. won't throw your network open to hackers)

Feel free to PM me if you have any queries.

[given2fly]

Whoa, We are getting into territories without understanding the repercussions first. Agreed that CISCO sells most, not because they are the best, because there are most guys working on CISCO products (read certified) and they have a highly successful marketing team. Or else, I would love to see Juniper and Fortiget come into picture and maul CISCO PIX or ASA 5xx out. Yes, if you want a rather buggy & somewhat not highly scalable hardware firewall, go for CISCO (they are best known for switches & routers, not firewalls). Or else, you should be looking at Juniper (the best hardware firewall) or Fortiget (coming there). However, getting a guy for Fortiget in India would be tough, so my vote goes for Juniper. You should also look to get a unified threat management (UTM) device if you want to become a security freak (many of us are, these days).

However, the bottomline is any firewall or UTM device is as good as its configurator. There are lots of CISCO & MS certified folks out there who don't know what they do and pass certifications exams through proxies and question dumps (Autoenthusiast, please don't misunderstand this as a personal attack, you know the situation out there). But if you have a good firewall admin, then even ISA can do your job. Plug in as many NICs as needed and throw a good hardware & configure it accordingly. Like many orgs do, they configure ISA behind a so called Hardware firewall where it is the second filtering device before the packet finally hits your internal network router. My everyday job is to get into configuration of Exchange & ISA and other MS products and I know of very big banks and multinationals successfully using ISA products with plugins. Besides this all, you can call up MS anytime and they shall help you for 245$, per incident (as per US rates, don't now there rates in india). I don't know about CISCO TAC rates.