Put Server WAN on Public IP Address?

TheMSsForum.com: The Microsoft Software Forum

I'm considering putting the server's WAN NIC onto the public IP address we
heve registered. I'm concerned though, that this will allow hackers into
the server. We are using Excange SMTP mail and are running 2-3 VPN
connections into the office.

Can anyone give their opinions on whether it's wise to put the server on
the 'net or is it best to add an appliance (like SonicWall or another
firewall) in front of the server?

Thanks for your comments.

--
Michael Rudnick
news@RCC-pcSupport.com
Top

Re: Put Server WAN on Public IP Address? by Michael

Michael
Wed Feb 25 01:22:51 CST 2004

Hello,

I will assume you are running SBS 2000 with ISA or SBS 2003 premium with
ISA. This gives you allot of control over the TCP packet filtering and
has IDS (Intrusion detection systems) (Windows 2000 and 2003 have a
built in firewall but it is not full featured). You still have to have
the ports on routers open to port map programs into your server so you
are no more/less vulnerable than having the ports open on the server in
the first place. Having said that , make sure you test your ISA firewall
as a poorly configured firewall is like not having one at all.

Please note, reading this carefully would indicate nomatter what you do,
you are exposed. This is true. If not, you could not get email etc
through your firewall. This is were you should service pack your
software and look for updates and security issues with the specific
services and versions you are running. You can also have traffic
stateful inspections to assist protecting your site but really, Turn on
ISA, only allow through what you need and remember to patch, patch and
Patch.

Thanks

P.S you can use a tool like GRC.COM (Sheildsup) to test your firewall
external to your location.

Michael Rudnick wrote:

> I'm considering putting the server's WAN NIC onto the public IP address we
> heve registered. I'm concerned though, that this will allow hackers into
> the server. We are using Excange SMTP mail and are running 2-3 VPN
> connections into the office.
>
> Can anyone give their opinions on whether it's wise to put the server on
> the 'net or is it best to add an appliance (like SonicWall or another
> firewall) in front of the server?
>
> Thanks for your comments.
>
>

--
Michael J. Jenkin MVP - SBS, Senior Systems Engineer , Millennium
Business Solutions
Microsoft Most Valuable Professional, Microsoft's Windows Server Systems
- Small Business Server
MVP's do not work for Microsoft. If this email was generated in a
newsgroup, please reply only to the newsgroup.
Note: The contents of my postings and responses here represent my
personal opinions and do not necessarily reflect the views, thoughts or
feelings of Microsoft or any of its employees.
http://mvp.support.microsoft.com
Top

Re: Put Server WAN on Public IP Address? by Michael

Michael
Wed Feb 25 04:07:36 CST 2004

Hello,

I will assume you are running SBS 2000 with ISA or SBS 2003 premium with
ISA. This gives you allot of control over the TCP packet filtering and
has IDS (Intrusion detection systems) (Windows 2000 and 2003 have a
built in firewall but it is not full featured). You still have to have
the ports on routers open to port map programs into your server so you
are no more/less vulnerable than having the ports open on the server in
the first place. Having said that , make sure you test your ISA firewall
as a poorly configured firewall is like not having one at all.

Please note, reading this carefully would indicate nomatter what you do,
you are exposed. This is true. If not, you could not get email etc
through your firewall. This is were you should service pack your
software and look for updates and security issues with the specific
services and versions you are running. You can also have traffic
stateful inspections to assist protecting your site but really, Turn on
ISA, only allow through what you need and remember to patch, patch and
Patch.

Thanks

P.S you can use a tool like GRC.COM (Sheildsup) to test your firewall
external to your location.

Michael Rudnick wrote:

> I'm considering putting the server's WAN NIC onto the public IP address we
> heve registered. I'm concerned though, that this will allow hackers into
> the server. We are using Excange SMTP mail and are running 2-3 VPN
> connections into the office.
>
> Can anyone give their opinions on whether it's wise to put the server on
> the 'net or is it best to add an appliance (like SonicWall or another
> firewall) in front of the server?
>
> Thanks for your comments.
>
>

--
Michael J. Jenkin MVP - SBS, Senior Systems Engineer , Millennium
Business Solutions
Microsoft Most Valuable Professional, Microsoft's Windows Server Systems
- Small Business Server
MVP's do not work for Microsoft. If this email was generated in a
newsgroup, please reply only to the newsgroup.
Note: The contents of my postings and responses here represent my
personal opinions and do not necessarily reflect the views, thoughts or
feelings of Microsoft or any of its employees.
http://mvp.support.microsoft.com
Top

Re: Put Server WAN on Public IP Address? by Michael

Michael
Wed Feb 25 04:07:11 CST 2004

Hello,

I will assume you are running SBS 2000 with ISA or SBS 2003 premium with
ISA. This gives you allot of control over the TCP packet filtering and
has IDS (Intrusion detection systems) (Windows 2000 and 2003 have a
built in firewall but it is not full featured). You still have to have
the ports on routers open to port map programs into your server so you
are no more/less vulnerable than having the ports open on the server in
the first place. Having said that , make sure you test your ISA firewall
as a poorly configured firewall is like not having one at all.

Please note, reading this carefully would indicate nomatter what you do,
you are exposed. This is true. If not, you could not get email etc
through your firewall. This is were you should service pack your
software and look for updates and security issues with the specific
services and versions you are running. You can also have traffic
stateful inspections to assist protecting your site but really, Turn on
ISA, only allow through what you need and remember to patch, patch and
Patch.

Thanks

P.S you can use a tool like GRC.COM (Sheildsup) to test your firewall
external to your location.

Michael Rudnick wrote:

> I'm considering putting the server's WAN NIC onto the public IP address we
> heve registered. I'm concerned though, that this will allow hackers into
> the server. We are using Excange SMTP mail and are running 2-3 VPN
> connections into the office.
>
> Can anyone give their opinions on whether it's wise to put the server on
> the 'net or is it best to add an appliance (like SonicWall or another
> firewall) in front of the server?
>
> Thanks for your comments.
>
>

--
Michael J. Jenkin MVP - SBS, Senior Systems Engineer , Millennium
Business Solutions
Microsoft Most Valuable Professional, Microsoft's Windows Server Systems
- Small Business Server
MVP's do not work for Microsoft. If this email was generated in a
newsgroup, please reply only to the newsgroup.
Note: The contents of my postings and responses here represent my
personal opinions and do not necessarily reflect the views, thoughts or
feelings of Microsoft or any of its employees.
http://mvp.support.microsoft.com
Top

Re: Put Server WAN on Public IP Address? by SuperGumby

SuperGumby
Wed Feb 25 05:42:40 CST 2004

I won't assume anything (this time :-)

Having a simple NAT router in front of a two NIC SBS is a good idea.
If your version of SBS includes ISA then anything better than a simple NAT
router is not only (almost) a waste of money but also likely to cause
complications you don't need.
If you don't have ISA you would do well to implement something better than a
simple NAT router as your firewall.


--
Mick Malloy
http://www.micropol.com.au

"Michael Rudnick" <news@rcc-pcsupport.com> wrote in message
news:Xns9499E4C69E6EDnewsrccpcsupportcom@207.46.248.16...
> I'm considering putting the server's WAN NIC onto the public IP address we
> heve registered. I'm concerned though, that this will allow hackers into
> the server. We are using Excange SMTP mail and are running 2-3 VPN
> connections into the office.
>
> Can anyone give their opinions on whether it's wise to put the server on
> the 'net or is it best to add an appliance (like SonicWall or another
> firewall) in front of the server?
>
> Thanks for your comments.
>
> --
> Michael Rudnick
> news@RCC-pcSupport.com


Top