Small Network Setup Issue

mipouk · August 2008

Hi all,

Im confused about some of the network setups i deal with day to day, specifically with SBS 2003 servers and small companies.

Some sites I have been to have the ADSL router going straight into the patch panel, and the SBS server and PCs all come off the patch panel. However other setups use exactly the same equipment, but the router goes into one NIC on the SBS server, then a 2nd NIC in the server has a cable coming out of it that seemingly feeds the internet connection into the patch panel.

What are the benefits (if any) of using 2 NICs, or just putting the ADSL router straight into the patch panel?

Many thanks,

networker050184 · August 2008

The site with the ADSL going directly into the server is probably serving as some sort of ALG. The benefit of that would be security there.

remyforbes777 · August 2008

For one its not a patch panel its a switch.
They are probably using SBS as some type of router or maybe even using it as some type of firewall.

scheistermeister · August 2008

My DSL goes directly into a 48 port switch at home, just means that the telco is using RFC 1483 bridged DSL. I was also able to pull 10 public IPs that way as well. Don't know if there is a limit though, ran out of hosts to hook up.

macdude · August 2008

With SBS you can configure one NIC for your private network and the other NIC to allow you out to the internet.

From Microsoft:

Network adapters - This is the number of network adapters on the server that will be connected to the Internet and to the local area network. A two-network-adapter configuration connects one adapter to the local area network and connects the other to the Internet. A one-network adapter configuration connects a single network adapter to the local area network. A router that is connected to the local area network or to a modem that is connected to a server provides connection to the Internet.

The link for the article is here: http://support.microsoft.com/?id=825763

At work we run a ton of SBS servers, but we do not do the dual-nic config, we will likes to use a hardware firewall for security.

HeroPsycho · August 2008

mipouk wrote:

However other setups use exactly the same equipment, but the router goes into one NIC on the SBS server, then a 2nd NIC in the server has a cable coming out of it that seemingly feeds the internet connection into the patch panel.

What are the benefits (if any) of using 2 NICs, or just putting the ADSL router straight into the patch panel?

Many thanks,

These SBS servers are likely (hopefully) SBS 2003 Premium, and include ISA Server, which is an enterprise class firewall application. The advantage of using ISA is deep application layer inspection of all traffic, even within an encrypted SSL tunnel. It can securely publish internet applications like email, Outlook Web Access, ActiveSync, and Sharepoint.

With that said, even when I deploy SBS Premium utilizing ISA, I still put a "hardware" firewall in front to filter traffic before it hits SBS/ISA. I'd say 99% of the traffic that ISA would drop, a simple packet filtering firewall would have dropped, too, so why soak resources on the ISA server to inspect easily detected traffic to drop? Let ISA just focus on traffic that should be more closely inspected.

For your customers who do not have a hardware firewall in front of their SBS server, I highly recommend looking closely at the external NIC's config. In my experience most people who deploy SBS Premium don't have the foggiest idea what they're doing when it comes to ISA, and their external NIC's are poorly configured for security. Examples of bad configs: Having anything bound to the external NIC other than TCP/IP (Client for Microsoft Networks and File and Print Sharing enabled = bad!), having DNS servers configured, and having NetBIOS over TCP/IP and Register this connection in DNS enabled.

macdude wrote:

At work we run a ton of SBS servers, but we do not do the dual-nic config, we will likes to use a hardware firewall for security.

You're actually cheating your customers out of better security if they're using SBS 2003 Premium. In order to get application level traffic inspection other than for web traffic that ISA provides, you must have a dual NIC config for your SBS server.

Still use your external firewall, but then plug the external NIC into the LAN side of the hardware firewall, and then the internal NIC on the SBS server into the LAN. Now, the entire network is protected by both the hardware firewall and ISA, and ALL traffic is analyzed by ISA for your SBS server.

Hope this helps!

(Why exactly haven't I gone ahead and gotten the cert for this? Oh yes, it's because I hate working on SBS. LOL!)

HeroPsycho · August 2008

What is deep packet inspection?

http://technet.microsoft.com/en-us/library/cc707728.aspx

macdude · August 2008

We have a few places that run ISA, but most of our clients run Standard. SBS can be fun, but most of the time its boring, just point and click.

darkerosxx · August 2008

HeroPsycho wrote:

What is deep packet inspection?

http://technet.microsoft.com/en-us/library/cc707728.aspx

DPI is the death of the intarwebs as we knowz it!

HeroPsycho · August 2008

darkerosxx wrote:

HeroPsycho wrote:

What is deep packet inspection?

http://technet.microsoft.com/en-us/library/cc707728.aspx

DPI is the death of the intarwebs as we knowz it!

LOL, it's a technology, just like other pieces of technology, that can be used for good and bad. In this case, ISA is a good thing. You don't want someone able to hack your SBS server because they tried to exploit IIS in a manner that shouldn't even have been processed. For example, if the access was to a virtual folder that doesn't even exist, but the packet is malformed in a manner that it would exploit IIS anyway, ISA would drop the packet before letting IIS process it. The best part is it does that even if the attacker attempts to do it in an SSL tunnel.

ISA = good!

Small Network Setup Issue

Comments