[Dshield] RE: Best Hardware / Security Set-up for SBS 2003 w/T-1

James C Slora Jr Jim.Slora at phra.com
Tue Mar 23 15:39:04 GMT 2004

Steve wrote Thursday, March 18, 2004 2:26 PM

> I am trying to figure out the best way to set-up my new network.
> I am going to be bringing in a T-1 connection to my office 
> pretty soon.
> I am going to be using MS SBS 2003 with ISA2000, Exchange, 
> and IIS with Sharepoint Server.
> I already have the server and software in place, so I cannot 
> change those options. I still haven't purchased the router yet though.
> I could also use the CSU/DSU from the T-1 connection to route 
> the data into the Server.
> My concerns are security oriented.
> Should I use the Cisco router as a transparent interface and 
> let it do the routing and let ISA server handle the firewall?
> Conversely I can set-up the router to also handle the 
> firewall and use it in conjunction with ISA server.

The second option would be better, with the router helping to firewall
- the router would filter out the majority of the background noise
- the router would reduce the risk footprint exposed through ISA server
- flaws in one blocking configuration could be filled in by the other
- your ISA logs would show only traffic that successfully traversed your
first line of defense at the router (making your investigative job easier)
- you would have to worry far less about Windows vulnerabilities on your ISA
server itself
- router logs would still allow you to monitor background noise and
unsuccessful attacks if you need to
- you could use the router to redirect hostile traffic and noise to another
system if you expand your monitoring options later

More information about the list mailing list