General discussion


Network Security Design / Config

By denisobrien ·
I have been tasked to set up a new network for 30 users. Some of
these guys will need IP VPN access to the network for remote
working. I believe the best way to go is via a DMZ configuration. I
am thinking of putting in ISA Server for Firewall and IPVPN Access
and then addding a second firewall (Nokia 5i) to protect the
internal network. In between the firewalls I am thinking of aadding
a Cisco router. Is this overkill? Any recommendations greatly

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Network Security Design / ...

If you put in ISA Server as a perimeter firewall, then you don't need a DMZ. If you have the budget, [and if you bought a Cisco router, you should have the budget for it] use 2 ISA servers. a perimeter and a backend.

Collapse -

by CG IT In reply to

I'm assuming that you know the capabilities of ISA server by virtue of you mentioning it. 2 ISA servers [and use ISA 2004 not 2000] you have the ability cluster ISAs, have multiple network segments [3/4 NICs that ISA controls]. Further ISA is a proxy, therefore ISA does not allow passthrough of traffic rather obtains whatever is requested then provides it to the requestor.

Collapse -

by boureaq In reply to Network Security Design / ...

I think you should consider open source.
You can consider setting up a linux box + openswan/strongswan , that will act as a router/firewall.
In remote location you can use a linksys vpn router
The linux box can easy manage up to 20 encripted sim connections, depending on you internet bandwidth

Collapse -

by -Q-240248 In reply to Network Security Design / ...

I think it's a bit overkill, I would just use the ISA server for your DMZ and VPN connection , as well as Internet proxying, as long as you put at least two interface in it.

Collapse -

by Amjad Zoghbi In reply to Network Security Design / ...

I personally think the use of two firewalls in that case is too much. Here's what I suggest: if you haven't bought any of the devices yet, buy one decent hardware firewall (netscreen, watchguard, fortigate (Recommend because of AV, ID features)...) that can act as a solid VPN terminator and packet filter. I don't really like putting Windows based devices on the network perimeter, they tend to be unstable and insecure whilst hardware devices are optimized and specialized to do what they do (not a program installed on a Windows PC).

Now if you already have the equipment, then ISA + Nokia makes sense, in case the ISA goes down (cross your fingers) you'll have the hardware Nokia F/W to back you up and prevent intrusion to your LAN. The cisco router in the middle is of no real value in your case.

There, I hope it helps, have a good day

Related Discussions

Related Forums