TechSpot

small business network - advice needed!

By davids
Jul 28, 2006
  1. I am planning a small business network, here is what I have setup so far:

    there are currently 4 workstations and possibly another one will be installed.
    I have decided on a xeon server with 2gb memory, windows server 2003 small business adition - as I will be installing exchange server as well.

    I am getting a checkpoint hardware firewall for security.

    Now I have come to the antivirus and I was wondering if anyone has a recomendation for the type of antivirus software I should install, and does it need to be installed on the server as well as the workstations??
     
  2. jobeard

    jobeard TS Ambassador Posts: 13,469   +327

    You neglected to state that the site does/doesn't need Internet access.
    You should study the concepts of a DMZ and how to isolate your business
    servers from EVERYONE -- including the LAN users -- and setting up rules to
    ensure access to it ONLY arrives via the LAN segment and not the PUBLIC or DMZ segments.

    We're talking 3 router/firewalls and at least two LAN segments.

    Properly isolated (which includes no email clients or web browsers on the server),
    the server will have extremely low exposure for intrusions -- it will basically
    become a file and application server without logged-in users.
     
  3. davids

    davids TS Rookie Topic Starter Posts: 177

    Sorry Jobeard:

    The site does require internet access, I am planning to install a bt broadband router and place a hardware firewall between this and the LAN.
    And the workstations will have internet access via the router as aposed to going through the server.

    So are you saying that I should totally disable WAN services on the server (except obviously for updates etc. and email services - as I am setting up exchange also).

    Today I have been looking at AVG network antivirus for the workstations, would you recommend this? Also I am debating on whether I need a seperate antispyware protection such as Ewido, or If I would be better going for an all in one package, like mcafee?

    Thanks alot for your advice Jobeard, I appreciate it.
     
  4. jobeard

    jobeard TS Ambassador Posts: 13,469   +327

    network topology

    the attachment is your topology (ie network layout).
    With a separate firewall between the Net and your first Router-1
    (or get a good router with firewall capabilities) all users get basic
    protection from intrusion.
    The LAN side of route-1 is your first network segment and ALL USERS are on only it.

    Router-2/Firewall-2 creates your second LAN segment and makes normal traffic flow thru segment-1 (not by rules, but by the change in seg-2 ip-address).
    Router-1's IP segment-1 address becomes the default gateway for all users.

    Your Business Server should have a STATIC ip-address and a well known name. You can then enter that name into LMHOST and your users
    can then configure their email clients by name.

    EMAIL: ports 110(pop3) 143(imap) 25(smtp)
    you will need all email to be funneled thru to the Exchange Server
    (logging recvd/sent email there).
    Router-2 will have two addresses:
    1) on segment-1
    2) on segment-2
    The inbound email from WWW is a two-step port forward for both 110/143
    router-1 fwd-> router-2 segment-1 address
    router-2 fwd-> the Exchange Server static address.

    outbound email is similar for port 25
    router-1 fwd-> router-2 segment-1 address
    router-2 fwd-> the Exchange Server static address.
    the ES will act as a proxy to deliver email back to the NET
    [ you need to check me on this; I don't run ES ]

    Router-1's setment-1 IP address becomes the default gateway for the ES server

    Almost! no user level users allowed to login, only ADMINS and they must
    limit Internet access to UPDATES only, no personal email from that host-- totally unnecessary.

    There's no silver bullet in security (ie: you need several tools as no are 100% comprehensive).
    Find any/all services that integrate well with the ES. Done correctly, the AV
    scan on email clients becomes ALMOST irrelevant.

    You might wish to investigate an IDS(Intrusion Dedection System) for the ES
    platform.

    Last thought: start planning for your Internal vs External DNS.
    The EXT needs two copies and they only identify business soultions you
    wish to make public; eg any website hosted locally and the email server mapping (mail.yourdomain.com) to access the INT DNS which may have
    far more on it. The INT should be in a DMZ setting between the Public IP
    and Router-1 (implying you need another router-0). If you have a locally hosted website, it too goes into the DMZ.
     

    Attached Files:

  5. davids

    davids TS Rookie Topic Starter Posts: 177

    Thanks Jobeard I think I get most of that.
    Another thing that is bothering me now is the antivirus needs: as the hardware firewall i plan to get says that it has "gateway antivirus" that scans incoming files and emails for viruses, so does this mean that I do not need a seperate software antivirus kit?
     
  6. jobeard

    jobeard TS Ambassador Posts: 13,469   +327

    it reads that way, doesn't it:) install and it
    should have documentation and/or configuration info. IMMEDIATELY
    access for UPDATES and you might see the download of the AV definitions.
     
  7. davids

    davids TS Rookie Topic Starter Posts: 177

    it does read that way, but Im not convinced. I asked the people who supply the firewall but they werent sure, so Im waiting for them to get back to me.

    To be safe I think I might get some software AV aswell.

    One thing I didnt understand about your last post and the diagram is why I need two routers?

    The setup I had in mind was 4/5 computers on the LAN (connected via a switch-does that count as one router??), all connected to a server acting as domain controller, file server and exchange server- and will have a fixed private IP.

    Then I will have the firewall and the other side of the firewall I will have a BT ADSL router modem and this will act as the internet gateway for all LAN clients. The WAN port will have the only fixed public IP address.

    Then I will forward email transmissions directly to the mail server (using port forwarding), and leave everything else as is. Does that sound OK?

    Am I right in thinking that some people opt for having several public IPs so they can assign them for example to a mail server, a remote desktop server etc. Does this method have any advantages to using port forwarding?


    Thanks alot for your help Jobeard

    Dave
     
  8. jobeard

    jobeard TS Ambassador Posts: 13,469   +327

    dmz layout

    attached is a DMZ config. the red lines are control
    flows for business rules. notice the perimeter does not participate (except via the VPN)
    AND the business systems are even isolated from the users.

    the DMZ will be the LEAST protected area, but there are more rules to
    protect everything around it.

    multiple IP addresses gives flexibility, including multiple physical sites across
    the country. dedicating an IP to email would normally be a big waste,
    unless you're going to be as big as GM, AT&T, IBM and have world-wide
    email traffic :)
     

    Attached Files:

  9. jobeard

    jobeard TS Ambassador Posts: 13,469   +327

    ip addresses

    btw: if you have or will have a public WWW website, you're going to use three
    IP address to support it:
    1) the website address attached to your URL
    2-3) for your public DNS

    #4 might be for VPN access

    Company internal systems would always be on the LAN and not directly
    accessible from the web
     
  10. jegan80

    jegan80 TS Rookie

    mate... i have implemented mcafee total business solution for ma office... and works like sweet...
     
  11. Nodsu

    Nodsu TS Rookie Posts: 9,431

    DMZ is really an overkill here.. If you are going to use the server as a domain controller or for file sharing, then it doesn't really matter if you stick it to DMZ or not - you will be forwarding so many ports back and forth that the security advantage of DMZ will be nil.

    You definitely need antivirus on the worstations. Content scanning at the gateway cannot catch everything - the contents of password protected zip files and SSL (HTTPS) connections cannot be examined by the firewall for example. Also, the router can not scan what people bring in on CDs or USB sticks.

    Antivirus on the server is something you have to pay premium for. (Desktop AV software is made not to run on server OS - they want you to pay extra). Depending on what kind of files/mail is going through the server, you may take the risk and do without an AV on the server machine.
     
     
  12. davids

    davids TS Rookie Topic Starter Posts: 177

    Thanks all for your help.

    I have sort of decided to go for Sophos antivirus suite - it has workstation antivirus and also a seperate antivirus for the server.

    I havnt had any experience with corporate antivirus, but being a home computer engineer I have never grown to dislike norton for one. As for mcafee im not sure about that as I havnt used it a great deal.
    Where I last worked (unrelated to IT) they had Sophos and it seemed to me that it worked quite well. If anyone has any experience iof it Id like to hear.

    I am ering on sticking to onwe fixed ip address and using port forwarding (as I know how to do this to a certain extent). If I need more IPs i figure I can always upgrade the broadband package.

    Im not entirely sure about the DMZ. I think it will be better if I post on here again when the Server has arrived as Im quite likely to get stuck at some point in the configuration!!!

    Hope you dont mind?

    Thanks alot
     
  13. Nodsu

    Nodsu TS Rookie Posts: 9,431

    One is always welcome to ask. Especially in the pleasant way you seem to :)

    Don't worry about the DMZ - in your scenario it will bring more trouble than its worth.

    PS
    I don't know what version of CheckPoint you are getting, but AFAIK CP has a SMTP server feature. Make sure you turn this on - the router will do some basic sanity checking on the SMTP traffic (will catch some 30-50 percent of spam without even scanning anything) and will also hide the identity of your real mail server (no need to let everyone know what Exchange version you are running).
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.