Mike Edwards 
United Kingdom
Member since
4/11/2005
Registered Users
Posts: 101
 |
| 7/07/2008 02:10 PM |
|
I have always used the two NIC model and a router along with ISA Server when using SBS, but now that SBS 2008 has ISA removed and the two NIC model no longer seems to apply, what Hardware Firewall device do people use/reccomend ?
I was thinking of looking at the Cisco Pix 501 devices are there others worth looking at ?
|
|
|
|
|
|
william warren
United States
Member since
12/8/2005
Registered Users
Posts: 548
|
| 7/08/2008 03:22 AM |
|
| pix has been discontinued..means no updates..not a good idea on a security device. What do you want the firewall to do..then we can give you informed recommendations. |
|
Registered Microsoft Partner |
|
|
|
Mike Edwards
United Kingdom
Member since
4/11/2005
Registered Users
Posts: 101
|
| 7/10/2008 06:20 PM |
|
Hi William,
just looking for a box to install the edge of the network to protect the Server & Clients against zero day attacks, Intrusion attacks etc, now that ISA is going to be removed from SBS 2008.
Been looking at the WatchGuard Firebox X range of Security Appliances, they seem to be very good and not too expensive.
|
|
|
|
|
|
william warren
United States
Member since
12/8/2005
Registered Users
Posts: 548
|
| 7/11/2008 12:12 AM |
|
if all you need is a basic firewall anything form dlink or netgear will do.. |
|
Registered Microsoft Partner |
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12280
|
| 7/12/2008 08:11 PM |
|
Hi William,
A basic firewall really is not good enough with SBS 2008. You need a proper hardware firewall because it has to protect the complete network as SBS 2008 will only have 1 nic and no more ISA.
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
william warren
United States
Member since
12/8/2005
Registered Users
Posts: 548
|
| 7/12/2008 10:18 PM |
|
| a regular linksys router with the standard firewall WILL protect the sbs mahcine. Any netgear, linksys, dlink router IS a hardware firewall. I would never put a windows server directly on the internet without either a customized linux firewall of mine, astaro or similar, or a router of some kind with a firewall built in. |
|
Registered Microsoft Partner |
|
|
|
Jake Barton
United Kingdom
Member since
2/7/2008
Registered Users
Posts: 16
|
| 7/17/2008 01:44 PM |
|
I am a bit concerned with the fact that to get webmail, mobile access, vpn etc you have to open ports up on the firewall to all.
Maybe im worrying un-necessarily, but with the two NIC set up i run a hardware firewall infront of the SBS, turn off file sharing and client for microsoft networks on what i call the DMZ NIC and make sure IIS is tied down as much as possible.
With the single NIC senario i am going to have to point the ports (smtp, https, rww, pptp etc) at the ip address of the SBS box and hope nothing goes wrong with packets bouncing around the LAN. This doesnt seem very secure to me?
The other thing i am looking at is some sort of SSL VPN box to connect to the firewall and run webmail, rww through that. Netgear do one for a few hundred quid.
Cisco PIX is still supported if you have a Cisco contract (only way you can get support). Modern alternative is the ASA5505 which is a good box.
Jake
|
|
|
|
|
|
william warren
United States
Member since
12/8/2005
Registered Users
Posts: 548
|
| 7/17/2008 03:00 PM |
|
You are worrying a bit much... The only difference between a PIX and something like a dlink or linksys is the pix controls traffic both ways. There's some hardware and support differences but in terms of how they operate there's not much difference. The PiX may contain IDS/IPS and other things but the value of IDS/IPS is still questionable.
With a two nic setup you still could have cross traffic due to the sbs mahcine in effect being a router. The idea of packets bouncing around the lan is a fallacy due to the fact that any router takes only the traffic mentined in the rules and sends it only at the target machine.
Honestly, for all my qualms about Windows design flaws, SBS is a good product. Once you know the design limitations of the underlying codebase it's actually one of the most secure Microsoft products out there. Put a router in front of the box..use port forwarding and be vigilant but not paranoid. Setup correctly(which SBS makes it hard to screw up) and operated correctly(this is the most critical part) I have never had an SBS machinee get directly compromised or be the instrument of a network compromise.
|
|
Registered Microsoft Partner |
|
|
|
Jake Barton
United Kingdom
Member since
2/7/2008
Registered Users
Posts: 16
|
| 7/17/2008 05:16 PM |
|
I wasnt worrying too much about the make of firewall - we use Netgear DG834 in a lot of our installations. It was more the whole issue of opening up port 443 to the entire world and hoping everything within the SBS box / network is secure.
To be fair we have never had a problem on an SBS box but i have had microsoft web servers which had a vunerability in SSL attacked, broken into and the registry played around with. That box was a managed box run by a big ISP with plenty of firewall protection etc and the only reason it got broken into was that microsoft decided to publicise the flaw before they put a patch out!
My theory on having an SSL vpn box is to try and limit the amount of external traffic that needs to come any where near the network - its just an extra layer of defence to put in the way of people with too much time on their hands!
Jake
|
|
|
|
|
|
william warren
United States
Member since
12/8/2005
Registered Users
Posts: 548
|
| 7/18/2008 05:04 AM |
|
| SSL is ok as long as you configure it to take over the network interface totally(like any ipsec vpn does). most ssl vpn's don't have that setup by default making the vpn mahcine a bridge to the internet and then you ahve defeated the purpose of the vpn. The sbs config wizards are excellent at locking things down. Simply having a router in front of it is going to limit any port scans and anything they hit on the open ports is going to be tightly locked down anyway. I have not seen a properly configured SBS machine get compromised when it's behind a good firewall. I allow the installations i use to have remote access via https to their e-mails, and rww..i do not allow the remote desktop via the browser due to the propensity of the encryption used for rdp to be easily cracked. If they want rdp I then setup a vpn server and have them tunnel rdp that way. |
|
Registered Microsoft Partner |
|
|
|
Jake Barton
United Kingdom
Member since
2/7/2008
Registered Users
Posts: 16
|
| 7/18/2008 12:49 PM |
|
[quote]i do not allow the remote desktop via the browser due to the propensity of the encryption used for rdp to be easily cracked. If they want rdp I then setup a vpn server and have them tunnel rdp that way.[/quote]
So do you allow them access to their desktops via RWW? |
|
|
|
|
|
william warren
United States
Member since
12/8/2005
Registered Users
Posts: 548
|
| 7/18/2008 02:51 PM |
|
| no i do not due to the questionable security of RDP. If they want to remote desktop I force them through a secured vpn. |
|
Registered Microsoft Partner |
|
|
|
Jake Barton
United Kingdom
Member since
2/7/2008
Registered Users
Posts: 16
|
| 7/18/2008 03:38 PM |
|
ok
do you use the built in vpn (eg pptp or l2tp) then or something else. I understood from a number of people that they thought the RWW was the most secure way of letting people have RDP access as it protected the network from the remote pc but i am open to ideas
|
|
|
|
|
|
william warren
United States
Member since
12/8/2005
Registered Users
Posts: 548
|
| 7/18/2008 09:46 PM |
|
| rww is only an https interface that reroutes to rdp(which is why you have to have the rdp port open on the firewall for the rww remote desktop to work). Unless my testing was wrong the rdp traffic is NOT encapsulated by the https protocol which would ally my concerns about rdp inside of rww. I do not use the vpn inside sbs due to it being the Microsofted way of doing something standard(aka l2tp is actually MS's version of IPSEC and pptp is an insecure protocol). I setup either a vpn capable router or a custom linux firewall server and use either ssl or ipsec vpn's from the firewall to the sbs mahcine for rdp. |
|
Registered Microsoft Partner |
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12280
|
| 7/19/2008 05:50 PM |
|
Hi William,
No, you are not right with saying you need the rdp port open for rww to work. RWW only needs 443 and 4125, nothing else. RDP traffic in itself is encrypted.
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
william warren
United States
Member since
12/8/2005
Registered Users
Posts: 548
|
| 7/19/2008 11:23 PM |
|
I never said rdp wasn't encrypted..i said it's encryption is suspect. There are several programs out there that can easily crack rdp's encryption. 443 is https and 4125 is the rdp port. rdp gets sent over 4125 and https goes over 443. As i said if they routed the rdp traffic over 443 i would have no issues.
I have not seen anything about rdp inside of 2k3 that lends me to say it's a secure protocol. Until the encryption of rdp 6.0 is properly vetted by independent cryptanalysts it's record and therefore the rdp protocol itself is not trustworthy.
|
|
Registered Microsoft Partner |
|
|
|
william warren
United States
Member since
12/8/2005
Registered Users
Posts: 548
|
| 7/20/2008 01:03 AM |
|
http://redmondmag.com/news/article.asp?EditorialsID=8584
it seems rdp v6 has other security issues as well. You can use ssl for rdp BUT 6.0 allows the user to bypass the requirement for SSL(which has to be specifically setup..SBS 2k3 does NOT do this by default). I stand by my evaluation of RDP being suspect in terms of it's security and recommend using a known secure vpn(ssl or ipsec) and do not rely solely on RDP for secured remote access. |
|
Registered Microsoft Partner |
|
|
|
Eriq Neale
Texas, USA
Member since
5/3/2005
Microsoft MVP
Posts: 2105
|
| 7/20/2008 01:57 AM |
|
Can you cite sources for these claims about the suspect encryption of RDP? First time I've heard this claim and I've been unable to independently verify what you're saying.
Also, you're not 100% correct on how port 4125 works. RDP is encapsulated over port 4125, and while it's not specifically another layer of encryption on the protocol, it is not straight RDP, either.
In SBS 2008, RWW does route all RDP for remote connections over port 443. The only ports required to be open to the SBS server for expected communication are 25, 443, and 987.
I have bigger problems with VPN implementations and actually don't allow those at my sites unless I know the entire health history of the machine that connects via VPN and have full management over that machine as well.
-Eriq |
|
Eriq Neale - Small Business Specialist, SBS MVP, Mac Guru
EON Consulting LLC www.eonconsulting.net
Author of Microsoft Small Business Server 2003 Unleashed
Listen to eOnCall at AIRtunZ or visit www.eoncall.com. |
|
|
|
william warren
United States
Member since
12/8/2005
Registered Users
Posts: 548
|
| 7/20/2008 02:59 PM |
|
look up cain and able which is hte main program for compromising rdp. It's widely known to be highly effective. RDP is known to be subject to man in the middle attacks due to MS making all of the private keys the same. It's pretty easy to find this information out with a simple google search.
Either way..if you want to trust rdp..that's your call. I simply will not trust RDP's security based on it's past record and the lack of verification of the current version's security since it's able to bypass server side security requirements and hte fact that the server will allow such a bypass to exist. |
|
Registered Microsoft Partner |
|
|
|
william warren
United States
Member since
12/8/2005
Registered Users
Posts: 548
|
| 7/20/2008 03:05 PM |
|
| SBS2k8 routing rdp over https will asway any concerns i have about the rdp protocol... |
|
Registered Microsoft Partner |
|
|
|