Where to put my multiple servers?????

I have a network going in from scratch with the following. T1 line with multiple available IP's. 1 Win2003 SBS from e-mail, file & print sharing. 1 - Win2003 Server (member server) as a Terminal server in application mode. 1 - Win2003 server web edition (member server) as a web/streaming media srever. There is going to be 22 client (All XP Pro) machines in house some using LAN only (training room) and the others running application from the TS along with e-mail & file & print daily routines. There will be 5 clients that log ito the TS remotely for applications & file access on the LAN. All remote machines will have 2000 or XP pro. I will have a Sonicwall 2040 (1) WAN Port, (1) LAN 10/100 Port, (2) additional 10/100 Ports with DMZ capabilities. I am figuring that I should have the e-mail server behind the firewall with ports forwarded for the mail, the same with the terminal server having 3389 forwarded and have the web server in the DMZ with a real IP. Any feedback is appreciated. I only want to do this once so I figured I would throw it out there for discussion. Thanks very much in advance
Joe K.

"Joe K." wrote in message
news:E1D76DBF-B4B0-47A9-8435-(E-Mail Removed)...
: I have a network going in from scratch with the following. T1 line with
multiple available IP's. 1 Win2003 SBS from e-mail, file & print sharing.
1 - Win2003 Server (member server) as a Terminal server in application mode.
1 - Win2003 server web edition (member server) as a web/streaming media
srever. There is going to be 22 client (All XP Pro) machines in house some
using LAN only (training room) and the others running application from the
TS along with e-mail & file & print daily routines. There will be 5 clients
that log ito the TS remotely for applications & file access on the LAN. All
remote machines will have 2000 or XP pro. I will have a Sonicwall 2040 (1)
WAN Port, (1) LAN 10/100 Port, (2) additional 10/100 Ports with DMZ
capabilities. I am figuring that I should have the e-mail server behind the
firewall with ports forwarded for the mail, the same with the terminal
server having 3389 forwarded and have the web server in the DMZ with a real
IP. Any feedback is appreciated. I only want to do this once so I figured I
would throw it out there for discussion. Thanks very much in advance.
: Joe K.

Since you're eluding to security issues, I have some questions.

One firewall is your only protection and you're opening a port into your
private network for mail? Also, you're only referring to perimeter
protection. How will you defend against an overlap attack? What will you
do to protect from attacks on the inside? How will you protect the company
from infected rogue users probing, attacking, attempting to penetrate
systems external to your network, knowingly or unknowingly? How will you
allow connectivity to the Internet web server for internal users? What
about content filtering, RTAV at the server, mail and local levels? Doesn't
SBS 2003 come with ISA? Will that be utilized? If you have all W2K and XP
Pro clients, why would you put overhead on your SBS Server for printer
sharing when they support IP printing directly? How will you handle
external DNS for your web server? Are you set with policies and procedures
with full documented adherence so you can fully monitor your network so
if/when those policies and procedures are breached, you can take action to
protect your network?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/service...p?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default...b;EN-US;308201

"Joe K." <(E-Mail Removed)> wrote in message
news:E1D76DBF-B4B0-47A9-8435-(E-Mail Removed)...
> with DMZ capabilities. I am figuring that I should have the e-mail server
behind the
> firewall with ports forwarded for the mail, the same with the terminal
server having
> 3389 forwarded and have the web server in the DMZ with a real IP. Any
> feedback is appreciated. I only want to do this once so I figured I would
throw it
> out there for

That seems like a decent plan to me. I might not want to expose the TS to
the outside like that though, but it is not the "end of the world" either
way. I probably would rather use VPN. The Firewall can probably act as a VPN
Server. Once the user connects via VPN, then they would connect to the TS
machine using the normal Private IP#. But other than that I'm not seeing any
problems jump out at me.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Roland Hall" <nobody@nowhere> wrote in message
news:(E-Mail Removed)...

Some good questions here.

> do to protect from attacks on the inside? How will you protect the
company
> from infected rogue users probing, attacking, attempting to penetrate
> systems external to your network, knowingly or unknowingly?

I prefer Public Employee Beatings out on the front lawn when weather
permists,..but if they are too infected I'm careful they don't bleed on me
:-)

But on the serious side,..most firewall products are pretty good about not
allowing oubound anything that you don't specifically allow.

> about content filtering, RTAV at the server, mail and local levels?
Doesn't
> SBS 2003 come with ISA?

Good point about ISA, depending on how of if it is used can effect the whole
topology design, subnetting, and physical layout.

> external DNS for your web server? Are you set with policies and
procedures
> with full documented adherence so you can fully monitor your network so
> if/when those policies and procedures are breached, you can take action to
> protect your network?

That's where that big o' paddle with the name written "network security
device" on it comes in to play. ;-}

That is something over looked a lot. In a lot of cases the management isn't
even thinking in those ways and doesn't even want to support the IT people
when it comes to enforcing it. It's pretty bad when even management people
are the worst offenders and the IT guy is left on his own to figure out what
to do about it.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Phillip,
Thank you for your input and answering the question(s) that I asked. I wasn't sure how to handle the other post ohter than to study for the quiz. I'm talking about a small company on a budget, not FedEX or Wal-Mart corporate offices. I like the front lawn idea. It's getting warmer out and others can enjoy the beatings as well duning lunch break, providing they aren't in their offices hacking other people's networks. Like you pointed out, mgmt says, make it work and don't spend more than X-dollars. External DNS can almost always be provided by the ISP as part of the service. An MX record here & an A record there, DNS is covered, mail & web flow.

Thanks again.

Well, the question are legit, but a lot of it is already covered by the
default config of most Firewalls and some are less of an issue in smaller
systems. Some other things you can decide which way to go after the "core"
of the system is in place without having to redesign anything.

I always follow the "keep it simple" idea, so my stuff ends up fairly secure
on its own just because there isn't anything there to hack, then I only have
to worry about protecting what actually is there.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Joe K." <(E-Mail Removed)> wrote in message
news:F32FF4FB-5F7A-4F4E-BF92-(E-Mail Removed)...
> Phillip,
> Thank you for your input and answering the question(s) that I asked. I
wasn't sure how to handle the other post ohter than to study for the quiz.
I'm talking about a small company on a budget, not FedEX or Wal-Mart
corporate offices. I like the front lawn idea. It's getting warmer out and
others can enjoy the beatings as well duning lunch break, providing they
aren't in their offices hacking other people's networks. Like you pointed
out, mgmt says, make it work and don't spend more than X-dollars. External
DNS can almost always be provided by the ISP as part of the service. An MX
record here & an A record there, DNS is covered, mail & web flow.
>
> Thanks again.

Agreed, it was just more ridiculing than helpful. And yes, the firwall comes with 10 concurrent VPN connections, more than will ever connect from outside at once. So that is deinitely the way to go for the TS. Thanks again for your input.

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
:
: "Roland Hall" <nobody@nowhere> wrote in message
: news:(E-Mail Removed)...
:
: Some good questions here.
:
: > do to protect from attacks on the inside? How will you protect the
: company
: > from infected rogue users probing, attacking, attempting to penetrate
: > systems external to your network, knowingly or unknowingly?
:
: I prefer Public Employee Beatings out on the front lawn when weather
: permists,..but if they are too infected I'm careful they don't bleed on me
: :-)
:
: But on the serious side,..most firewall products are pretty good about not
: allowing oubound anything that you don't specifically allow.
:
: > about content filtering, RTAV at the server, mail and local levels?
: Doesn't
: > SBS 2003 come with ISA?
:
: Good point about ISA, depending on how of if it is used can effect the
whole
: topology design, subnetting, and physical layout.
:
: > external DNS for your web server? Are you set with policies and
: procedures
: > with full documented adherence so you can fully monitor your network so
: > if/when those policies and procedures are breached, you can take action
to
: > protect your network?
:
: That's where that big o' paddle with the name written "network security
: device" on it comes in to play. ;-}
:
: That is something over looked a lot. In a lot of cases the management
isn't
: even thinking in those ways and doesn't even want to support the IT people
: when it comes to enforcing it. It's pretty bad when even management
people
: are the worst offenders and the IT guy is left on his own to figure out
what
: to do about it.

Well said and don't you know the Employee Public Beatings is definitely a
winner!

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

"Joe K." wrote in message
news:F32FF4FB-5F7A-4F4E-BF92-(E-Mail Removed)...
: Phillip,
: Thank you for your input and answering the question(s) that I asked. I
wasn't sure how to handle the other post ohter than to study for the quiz.

Joe...

I apologize if it sounded like a quiz to you but it is relevant for all
networks, budget permitting. If you do not show that you made a good faith
effort to protect others from your network being compromised, then you can
be held liable, even if you have a single computer.

If you do not have policies and procedures in place and your email server
gets infected, looking into other people's mail can get you sued for
invasion of privacy.

None of the questions I asked involve a great expense, but rather additional
thought and preperation to help protect your users, your network, your job
and limiting or eliminating some liabilities.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/service...p?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default...b;EN-US;308201

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
: Well, the question are legit, but a lot of it is already covered by the
: default config of most Firewalls and some are less of an issue in smaller
: systems. Some other things you can decide which way to go after the
"core"
: of the system is in place without having to redesign anything.
:
: I always follow the "keep it simple" idea, so my stuff ends up fairly
secure
: on its own just because there isn't anything there to hack, then I only
have
: to worry about protecting what actually is there.

Phillip...

Please explain to me how a firewall protects against outbound traffic
sending infected email after a user is compromised by a mass-mailing worm or
how a firewall protects against a fragmented overlap attack when it only
looks at the packet header. "Most" firewalls do NOT protect against this
type of attack and host-based IDS and/or content filtering [ISA] is/are then
required, possibly more.

http://ftester.sourceforge.net/ftester.html

Even if the firewall can be configured to only allow certain services, which
is generally the work of a content filter, outbound, unless a MD5 checksum
is used, rogue services using known services will not be stopped. The OP
doesn't need to understand how it can happen, only that it can and that
educating yourself is one of your best defenses against attack.

This article at eEye introduces added security measures of an application
firewall, in addition to firewall and IDS.

http://www.eeye.com/html/Research/Pa...S20010322.html
Relative context:
Traditional packet-filtering firewalls are able to block packets based on
specific packet characteristics, such as TCP flags, source IP address,
destination IP address, or TCP and UDP ports. They are able to stop packets
that do not meet a certain configurable criteria. Even newer state based
firewalls still only look at packet information contained in the IP, TCP, or
UDP headers. They tend not to look at specific data contained in those
packets beyond the headers, and tend not to discern anything related to a
specific protocol. The other disadvantage of firewalls is that if they are
used to protect public services, by the very nature of the services being
public, they must be allowed access by the Internet at large.

After all, the OP said, "I am figuring that I should have the e-mail server
behind the firewall with ports forwarded for the mail, the same with the
terminal server having 3389 forwarded..."

This may not be deemed necessary when a limited budget is in effect but I
always ask my customers one question when determining how much should be
spent on security.

How long can you be down?

Security issues regarding a single point of presence are not based on the
size of the local network. Cost is a variable for size but the security
implications are the same.

While a VPN is a good idea, it is not a full solution. MSFT found this out
when a remote developer was compromised and opened up a VPN connection to
source code within their network and thus providing a gateway for the
attacker. The security worked as it should but the security model was
broken because the remote user was not protected.

Perhaps it is time for a little studying rather than relying on a false
sense of security due to budget restraints?!

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/service...p?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default...b;EN-US;308201