small business network - advice needed!

[davids]

I am planning a small business network, here is what I have setup so far:

there are currently 4 workstations and possibly another one will be installed.
I have decided on a xeon server with 2gb memory, windows server 2003 small business adition - as I will be installing exchange server as well.

I am getting a checkpoint hardware firewall for security.

Now I have come to the antivirus and I was wondering if anyone has a recomendation for the type of antivirus software I should install, and does it need to be installed on the server as well as the workstations??

 

[DelJo63]

You neglected to state that the site does/doesn't need Internet access.
You should study the concepts of a DMZ and how to isolate your business
servers from EVERYONE -- including the LAN users -- and setting up rules to
ensure access to it ONLY arrives via the LAN segment and not the PUBLIC or DMZ segments.

We're talking 3 router/firewalls and at least two LAN segments.

Properly isolated (which includes no email clients or web browsers on the server),
the server will have extremely low exposure for intrusions -- it will basically
become a file and application server without logged-in users.

 

[davids]

Sorry Jobeard:

The site does require internet access, I am planning to install a bt broadband router and place a hardware firewall between this and the LAN.
And the workstations will have internet access via the router as aposed to going through the server.

So are you saying that I should totally disable WAN services on the server (except obviously for updates etc. and email services - as I am setting up exchange also).

Today I have been looking at AVG network antivirus for the workstations, would you recommend this? Also I am debating on whether I need a seperate antispyware protection such as Ewido, or If I would be better going for an all in one package, like mcafee?

Thanks alot for your advice Jobeard, I appreciate it.

 

[DelJo63]

network topology

I am planning to install a bt broadband router and place a hardware firewall between this and the LAN.
And the workstations will have internet access via the router as aposed to going through the server.

the attachment is your topology (ie network layout).
With a separate firewall between the Net and your first Router-1
(or get a good router with firewall capabilities) all users get basic
protection from intrusion.
The LAN side of route-1 is your first network segment and ALL USERS are on only it.

Router-2/Firewall-2 creates your second LAN segment and makes normal traffic flow thru segment-1 (not by rules, but by the change in seg-2 ip-address).
Router-1's IP segment-1 address becomes the default gateway for all users.

Your Business Server should have a STATIC ip-address and a well known name. You can then enter that name into LMHOST and your users
can then configure their email clients by name.

EMAIL: ports 110(pop3) 143(imap) 25(smtp)
you will need all email to be funneled thru to the Exchange Server
(logging recvd/sent email there).
Router-2 will have two addresses:
1) on segment-1
2) on segment-2
The inbound email from WWW is a two-step port forward for both 110/143
router-1 fwd-> router-2 segment-1 address
router-2 fwd-> the Exchange Server static address.

outbound email is similar for port 25
router-1 fwd-> router-2 segment-1 address
router-2 fwd-> the Exchange Server static address.
the ES will act as a proxy to deliver email back to the NET
[ you need to check me on this; I don't run ES ]

Router-1's setment-1 IP address becomes the default gateway for the ES server

So are you saying that I should totally disable WAN services on the server (except obviously for updates etc. and email services - as I am setting up exchange also).

Almost! no user level users allowed to login, only ADMINS and they must
limit Internet access to UPDATES only, no personal email from that host-- totally unnecessary.

Today I have been looking at AVG network antivirus for the workstations, would you recommend this? Also I am debating on whether I need a seperate antispyware protection such as Ewido, or If I would be better going for an all in one package, like mcafee?

There's no silver bullet in security (ie: you need several tools as no are 100% comprehensive).
Find any/all services that integrate well with the ES. Done correctly, the AV
scan on email clients becomes ALMOST irrelevant.

You might wish to investigate an IDS(Intrusion Dedection System) for the ES
platform.

Last thought: start planning for your Internal vs External DNS.
The EXT needs two copies and they only identify business soultions you
wish to make public; eg any website hosted locally and the email server mapping (mail.yourdomain.com) to access the INT DNS which may have
far more on it. The INT should be in a DMZ setting between the Public IP
and Router-1 (implying you need another router-0). If you have a locally hosted website, it too goes into the DMZ.

 

[davids]

Thanks Jobeard I think I get most of that.
Another thing that is bothering me now is the antivirus needs: as the hardware firewall i plan to get says that it has "gateway antivirus" that scans incoming files and emails for viruses, so does this mean that I do not need a seperate software antivirus kit?

 

[DelJo63]

Thanks Jobeard I think I get most of that.
Another thing that is bothering me now is the antivirus needs: as the hardware firewall i plan to get says that it has "gateway antivirus" that scans incoming files and emails for viruses, so does this mean that I do not need a seperate software antivirus kit?

it reads that way, doesn't it install and it
should have documentation and/or configuration info. IMMEDIATELY
access for UPDATES and you might see the download of the AV definitions.

 

[davids]

it does read that way, but Im not convinced. I asked the people who supply the firewall but they werent sure, so Im waiting for them to get back to me.

To be safe I think I might get some software AV aswell.

One thing I didnt understand about your last post and the diagram is why I need two routers?

The setup I had in mind was 4/5 computers on the LAN (connected via a switch-does that count as one router??), all connected to a server acting as domain controller, file server and exchange server- and will have a fixed private IP.

Then I will have the firewall and the other side of the firewall I will have a BT ADSL router modem and this will act as the internet gateway for all LAN clients. The WAN port will have the only fixed public IP address.

Then I will forward email transmissions directly to the mail server (using port forwarding), and leave everything else as is. Does that sound OK?

Am I right in thinking that some people opt for having several public IPs so they can assign them for example to a mail server, a remote desktop server etc. Does this method have any advantages to using port forwarding?


Thanks alot for your help Jobeard

Dave

 

[DelJo63]

dmz layout

attached is a DMZ config. the red lines are control
flows for business rules. notice the perimeter does not participate (except via the VPN)
AND the business systems are even isolated from the users.

the DMZ will be the LEAST protected area, but there are more rules to
protect everything around it.

multiple IP addresses gives flexibility, including multiple physical sites across
the country. dedicating an IP to email would normally be a big waste,
unless you're going to be as big as GM, AT&T, IBM and have world-wide
email traffic

 

[DelJo63]

ip addresses

btw: if you have or will have a public WWW website, you're going to use three
IP address to support it:
1) the website address attached to your URL
2-3) for your public DNS

#4 might be for VPN access

Company internal systems would always be on the LAN and not directly
accessible from the web

 

[jegan80]

mate... i have implemented mcafee total business solution for ma office... and works like sweet...

 

[Nodsu]

DMZ is really an overkill here.. If you are going to use the server as a domain controller or for file sharing, then it doesn't really matter if you stick it to DMZ or not - you will be forwarding so many ports back and forth that the security advantage of DMZ will be nil.

You definitely need antivirus on the worstations. Content scanning at the gateway cannot catch everything - the contents of password protected zip files and SSL (HTTPS) connections cannot be examined by the firewall for example. Also, the router can not scan what people bring in on CDs or USB sticks.

Antivirus on the server is something you have to pay premium for. (Desktop AV software is made not to run on server OS - they want you to pay extra). Depending on what kind of files/mail is going through the server, you may take the risk and do without an AV on the server machine.

 

[davids]

Thanks all for your help.

I have sort of decided to go for Sophos antivirus suite - it has workstation antivirus and also a seperate antivirus for the server.

I havnt had any experience with corporate antivirus, but being a home computer engineer I have never grown to dislike norton for one. As for mcafee im not sure about that as I havnt used it a great deal.
Where I last worked (unrelated to IT) they had Sophos and it seemed to me that it worked quite well. If anyone has any experience iof it Id like to hear.

I am ering on sticking to onwe fixed ip address and using port forwarding (as I know how to do this to a certain extent). If I need more IPs i figure I can always upgrade the broadband package.

Im not entirely sure about the DMZ. I think it will be better if I post on here again when the Server has arrived as Im quite likely to get stuck at some point in the configuration!!!

Hope you dont mind?

Thanks alot

 

[Nodsu]

One is always welcome to ask. Especially in the pleasant way you seem to

Don't worry about the DMZ - in your scenario it will bring more trouble than its worth.

PS
I don't know what version of CheckPoint you are getting, but AFAIK CP has a SMTP server feature. Make sure you turn this on - the router will do some basic sanity checking on the SMTP traffic (will catch some 30-50 percent of spam without even scanning anything) and will also hide the identity of your real mail server (no need to let everyone know what Exchange version you are running).