[Dshield] Best Hardware / Security Set-up for SBS 2003 w/T-1

Richard Porter rwporter at comcast.net
Fri Mar 19 00:10:52 GMT 2004


I agree with Josh and think you should make your Cisco equipment work for
you as much as possible. Another possibility is to add a third system into
the mix. You could setup an IPTables/Snort-Inline and have it FW at layer 2.
Snort-Inline can handle T1 Traffic easy enough. This would add alternate IDS
into the mix and make it transparent.

Snort-Inline 		http://snort-inline.sourceforge.net/

Honeynet.org		http://www.honeynet.org

IMHO

Richard

 

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Josh Tolley
Sent: Thursday, March 18, 2004 1:06 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Best Hardware / Security Set-up for SBS 2003 w/T-1

Was it this list or another I'm on that just had a long discussion of the
merits and shortcomings of ISA server? My (limited) experience with ISA
server is that it's a pain to configure, and since it runs on Windows I
wouldn't trust it without another firewall in front of it (your opinion may
vary -- please don't flame me for mine). The result of the discussion on
whatever list it was ended up being that ISA is nice because of its
interoperation with other MS products, but that it was best applied as an
internal firewall, and that perimeter machines should be something more
easily hardened. If you're implementing a Cisco box anyway, I'd say use it
for most of the firewalling you need and depend on ISA as little as
possible.

Josh Tolley

Steve wrote:

> Thanks for taking the time to read this post.
> 
> I am trying to figure out the best way to set-up my new network.
> 
> I am going to be bringing in a T-1 connection to my office pretty soon.
> 
> I am going to be using MS SBS 2003 with ISA2000, Exchange, and IIS 
> with Sharepoint Server.
> 
> I already have the server and software in place, so I cannot change 
> those options. I still haven't purchased the router yet though.
> 
> I could also use the CSU/DSU from the T-1 connection to route the data 
> into the Server.
> 
> My concerns are security oriented.
> 
> Should I use the Cisco router as a transparent interface and let it do 
> the routing and let ISA server handle the firewall?
> 
> Conversely I can set-up the router to also handle the firewall and use 
> it in conjunction with ISA server.
> 
> Does anyone have any tips or suggestions?
> 
> Thanks,
> 
> Steve
> 

--
Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
760 509 9000

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list