[Dshield] RE: Best Hardware / Security Set-up for SBS 2003 w/T-1
James C Slora Jr
Jim.Slora at phra.com
Tue Mar 23 15:39:04 GMT 2004
Steve wrote Thursday, March 18, 2004 2:26 PM
> I am trying to figure out the best way to set-up my new network.
> I am going to be bringing in a T-1 connection to my office
> pretty soon.
> I am going to be using MS SBS 2003 with ISA2000, Exchange,
> and IIS with Sharepoint Server.
> I already have the server and software in place, so I cannot
> change those options. I still haven't purchased the router yet though.
> I could also use the CSU/DSU from the T-1 connection to route
> the data into the Server.
> My concerns are security oriented.
> Should I use the Cisco router as a transparent interface and
> let it do the routing and let ISA server handle the firewall?
> Conversely I can set-up the router to also handle the
> firewall and use it in conjunction with ISA server.
The second option would be better, with the router helping to firewall
- the router would filter out the majority of the background noise
- the router would reduce the risk footprint exposed through ISA server
- flaws in one blocking configuration could be filled in by the other
- your ISA logs would show only traffic that successfully traversed your
first line of defense at the router (making your investigative job easier)
- you would have to worry far less about Windows vulnerabilities on your ISA
- router logs would still allow you to monitor background noise and
unsuccessful attacks if you need to
- you could use the router to redirect hostile traffic and noise to another
system if you expand your monitoring options later
More information about the list