Small Network Setup Issue
Hi all,
Im confused about some of the network setups i deal with day to day, specifically with SBS 2003 servers and small companies.
Some sites I have been to have the ADSL router going straight into the patch panel, and the SBS server and PCs all come off the patch panel. However other setups use exactly the same equipment, but the router goes into one NIC on the SBS server, then a 2nd NIC in the server has a cable coming out of it that seemingly feeds the internet connection into the patch panel.
What are the benefits (if any) of using 2 NICs, or just putting the ADSL router straight into the patch panel?
Many thanks,
Im confused about some of the network setups i deal with day to day, specifically with SBS 2003 servers and small companies.
Some sites I have been to have the ADSL router going straight into the patch panel, and the SBS server and PCs all come off the patch panel. However other setups use exactly the same equipment, but the router goes into one NIC on the SBS server, then a 2nd NIC in the server has a cable coming out of it that seemingly feeds the internet connection into the patch panel.
What are the benefits (if any) of using 2 NICs, or just putting the ADSL router straight into the patch panel?
Many thanks,
Comments
-
networker050184 Mod Posts: 11,962 ModThe site with the ADSL going directly into the server is probably serving as some sort of ALG. The benefit of that would be security there.An expert is a man who has made all the mistakes which can be made.
-
remyforbes777 Member Posts: 499For one its not a patch panel its a switch.
They are probably using SBS as some type of router or maybe even using it as some type of firewall.Remington Forbes
www.blacksintechnology.net -
scheistermeister Member Posts: 748 ■□□□□□□□□□My DSL goes directly into a 48 port switch at home, just means that the telco is using RFC 1483 bridged DSL. I was also able to pull 10 public IPs that way as well. Don't know if there is a limit though, ran out of hosts to hook up.Give a man fire and he'll be warm for a day. Set a man on fire and he'll be warm for the rest of his life.
-
macdude Member Posts: 173With SBS you can configure one NIC for your private network and the other NIC to allow you out to the internet.
From Microsoft:
Network adapters - This is the number of network adapters on the server that will be connected to the Internet and to the local area network. A two-network-adapter configuration connects one adapter to the local area network and connects the other to the Internet. A one-network adapter configuration connects a single network adapter to the local area network. A router that is connected to the local area network or to a modem that is connected to a server provides connection to the Internet.
The link for the article is here: http://support.microsoft.com/?id=825763
At work we run a ton of SBS servers, but we do not do the dual-nic config, we will likes to use a hardware firewall for security. -
HeroPsycho Inactive Imported Users Posts: 1,940mipouk wrote:However other setups use exactly the same equipment, but the router goes into one NIC on the SBS server, then a 2nd NIC in the server has a cable coming out of it that seemingly feeds the internet connection into the patch panel.
What are the benefits (if any) of using 2 NICs, or just putting the ADSL router straight into the patch panel?
Many thanks,
These SBS servers are likely (hopefully) SBS 2003 Premium, and include ISA Server, which is an enterprise class firewall application. The advantage of using ISA is deep application layer inspection of all traffic, even within an encrypted SSL tunnel. It can securely publish internet applications like email, Outlook Web Access, ActiveSync, and Sharepoint.
With that said, even when I deploy SBS Premium utilizing ISA, I still put a "hardware" firewall in front to filter traffic before it hits SBS/ISA. I'd say 99% of the traffic that ISA would drop, a simple packet filtering firewall would have dropped, too, so why soak resources on the ISA server to inspect easily detected traffic to drop? Let ISA just focus on traffic that should be more closely inspected.
For your customers who do not have a hardware firewall in front of their SBS server, I highly recommend looking closely at the external NIC's config. In my experience most people who deploy SBS Premium don't have the foggiest idea what they're doing when it comes to ISA, and their external NIC's are poorly configured for security. Examples of bad configs: Having anything bound to the external NIC other than TCP/IP (Client for Microsoft Networks and File and Print Sharing enabled = bad!), having DNS servers configured, and having NetBIOS over TCP/IP and Register this connection in DNS enabled.macdude wrote:At work we run a ton of SBS servers, but we do not do the dual-nic config, we will likes to use a hardware firewall for security.
You're actually cheating your customers out of better security if they're using SBS 2003 Premium. In order to get application level traffic inspection other than for web traffic that ISA provides, you must have a dual NIC config for your SBS server.
Still use your external firewall, but then plug the external NIC into the LAN side of the hardware firewall, and then the internal NIC on the SBS server into the LAN. Now, the entire network is protected by both the hardware firewall and ISA, and ALL traffic is analyzed by ISA for your SBS server.
Hope this helps!
(Why exactly haven't I gone ahead and gotten the cert for this? Oh yes, it's because I hate working on SBS. LOL!)Good luck to all! -
macdude Member Posts: 173We have a few places that run ISA, but most of our clients run Standard. SBS can be fun, but most of the time its boring, just point and click.
-
HeroPsycho Inactive Imported Users Posts: 1,940darkerosxx wrote:HeroPsycho wrote:
DPI is the death of the intarwebs as we knowz it!
LOL, it's a technology, just like other pieces of technology, that can be used for good and bad. In this case, ISA is a good thing. You don't want someone able to hack your SBS server because they tried to exploit IIS in a manner that shouldn't even have been processed. For example, if the access was to a virtual folder that doesn't even exist, but the packet is malformed in a manner that it would exploit IIS anyway, ISA would drop the packet before letting IIS process it. The best part is it does that even if the attacker attempts to do it in an SSL tunnel.
ISA = good!Good luck to all!