second NIC vs. hardware firewall

TheMSsForum.com: The Microsoft Software Forum

I am changing a server from POP3 connector to SMTP

We already have an harware firewall (zyxel zywall 10)

I will also configure OWA/SSL for access from the internet

Do you think I need the second nic in the server to enable ISA
or the hardware firewall is enough?

Thanks for your opinions,

Filippo
Top

Re: second NIC vs. hardware firewall by Javier

Javier
Mon Sep 01 09:12:42 CDT 2003

This has been discussed extensibly on this NG (do a google search if you are
interested)... I think most people will recomend to install 2NICs and put
your HW Firewall in front of ISA. Does your firewall do egress filtering?
how detailed are the logs?

-Javier

"Filippo" <inutile@nospam.com> wrote in message
news:e0tEXcHcDHA.2404@TK2MSFTNGP10.phx.gbl...
> I am changing a server from POP3 connector to SMTP
>
> We already have an harware firewall (zyxel zywall 10)
>
> I will also configure OWA/SSL for access from the internet
>
> Do you think I need the second nic in the server to enable ISA
> or the hardware firewall is enough?
>
> Thanks for your opinions,
>
> Filippo
>
>


Top

Re: second NIC vs. hardware firewall by Filippo

Filippo
Mon Sep 01 09:22:38 CDT 2003

Hi Javier,
sorry to ask a question on a topic that has been already discussed

the firewall logs are very detalied: you can know everything about every
paket in and out (source ip - port / dest ip / port - action taken)

I don't know what egress filtering is

I know that I can allow only incoming pakets going to the server on the
ports I decide (25 and 443) and drop all the other incomeing pakets.



"Javier Gomez" <javier_gomez@remove-this-bit.engineer.com> ha scritto nel
messaggio news:OEbVcMJcDHA.384@TK2MSFTNGP12.phx.gbl...
> This has been discussed extensibly on this NG (do a google search if you
are
> interested)... I think most people will recomend to install 2NICs and put
> your HW Firewall in front of ISA. Does your firewall do egress filtering?
> how detailed are the logs?
>
> -Javier
>
> "Filippo" <inutile@nospam.com> wrote in message
> news:e0tEXcHcDHA.2404@TK2MSFTNGP10.phx.gbl...
> > I am changing a server from POP3 connector to SMTP
> >
> > We already have an harware firewall (zyxel zywall 10)
> >
> > I will also configure OWA/SSL for access from the internet
> >
> > Do you think I need the second nic in the server to enable ISA
> > or the hardware firewall is enough?
> >
> > Thanks for your opinions,
> >
> > Filippo
> >
> >
>
>


Top

Re: second NIC vs. hardware firewall by Mal

Mal
Mon Sep 01 09:21:30 CDT 2003

You also get user level accesss control & a Proxy Cache with ISA.

Mal Osborne

"Javier Gomez" <javier_gomez@remove-this-bit.engineer.com> wrote in message
news:OEbVcMJcDHA.384@TK2MSFTNGP12.phx.gbl...
> This has been discussed extensibly on this NG (do a google search if you
are
> interested)... I think most people will recomend to install 2NICs and put
> your HW Firewall in front of ISA. Does your firewall do egress filtering?
> how detailed are the logs?
>
> -Javier
>
> "Filippo" <inutile@nospam.com> wrote in message
> news:e0tEXcHcDHA.2404@TK2MSFTNGP10.phx.gbl...
> > I am changing a server from POP3 connector to SMTP
> >
> > We already have an harware firewall (zyxel zywall 10)
> >
> > I will also configure OWA/SSL for access from the internet
> >
> > Do you think I need the second nic in the server to enable ISA
> > or the hardware firewall is enough?
> >
> > Thanks for your opinions,
> >
> > Filippo
> >
> >
>
>


Top

Re: second NIC vs. hardware firewall by Javier

Javier
Mon Sep 01 10:17:09 CDT 2003

> I don't know what egress filtering is

This means controlling what gets out from your lan (as opposed as what gets
in... which any firewall can do). In other words-> Can you restrict/block
access to the internet to certain users/computers??? Based on protocol,
IP... or whatever?

The way I see it-> Getting a second NIC is cheap and you alredy have ISA.
Having two firewalls in place... it's a little bit harder to setup but is
not really that difficult and provides an extra layer of security. The only
disadvantage is that if your server is down the internet connection will be
too... but then if my network is down I don't give a damn if users can't get
to the internet (since they will not be able to use anything from the SBS
box also).

My $0.02,

Javier


Top