network topology
davids said:
I am planning to install a bt broadband router and place a hardware firewall between this and the LAN.
And the workstations will have internet access via the router as aposed to going through the server.
the attachment is your topology (ie network layout).
With a separate firewall between the Net and your first Router-1
(or get a
good router with firewall capabilities) all users get basic
protection from intrusion.
The LAN side of route-1 is your first network segment and ALL USERS are on only it.
Router-2/Firewall-2 creates your second LAN segment and makes normal traffic flow thru segment-1 (not by rules, but by the change in seg-2 ip-address).
Router-1's IP segment-1 address becomes the default gateway for all users.
Your Business Server should have a STATIC ip-address and a well known name. You can then enter that name into LMHOST and your users
can then configure their email clients by name.
EMAIL:
ports 110(pop3) 143(imap) 25(smtp)
you will need all email to be funneled thru to the Exchange Server
(logging recvd/sent email there).
Router-2 will have two addresses:
1) on segment-1
2) on segment-2
The
inbound email from WWW is a two-step port forward for both 110/143
router-1 fwd-> router-2 segment-1 address
router-2 fwd-> the Exchange Server static address.
outbound email is similar for port 25
router-1 fwd-> router-2 segment-1 address
router-2 fwd-> the Exchange Server static address.
the ES will act as a proxy to deliver email back to the NET
[ you need to check me on this; I don't run ES ]
Router-1's setment-1 IP address becomes the default gateway for the ES server
So are you saying that I should totally disable WAN services on the server (except obviously for updates etc. and email services - as I am setting up exchange also).
Almost! no user level users allowed to login, only ADMINS and they must
limit Internet access to UPDATES only, no personal email from that host-- totally unnecessary.
Today I have been looking at AVG network antivirus for the workstations, would you recommend this? Also I am debating on whether I need a seperate antispyware protection such as Ewido, or If I would be better going for an all in one package, like mcafee?
There's no silver bullet in security (ie: you need several tools as no are 100% comprehensive).
Find any/all services that integrate well with the ES. Done correctly, the AV
scan on email clients becomes ALMOST irrelevant.
You might wish to investigate an IDS(Intrusion Dedection System) for the ES
platform.
Last thought: start planning for your Internal vs External DNS.
The EXT needs two copies and they only identify business soultions you
wish to make public; eg any website hosted locally and the email server mapping (mail.yourdomain.com) to access the INT DNS which may have
far more on it. The INT should be in a DMZ setting between the Public IP
and Router-1 (implying you need another router-0). If you have a locally hosted website, it too goes into the DMZ.