1

Greetings Server Fault Universe,

So here's a quick background. Two weeks ago I started a new position as the systems administrator for an expanding health services company of just over 100 persons. The individual I was replacing left the company with little to no notice. Basically, I have inherited a network of one main HQ (where I am situated) which has existed for over 10 years, with five smaller offices (less than 20 persons).

I am trying to make sense of the current setup. The network at the HQ includes:

  • Linksys RV082 Router providing internet access for employees and site to site VPN connecting the smaller offices (using an RV042 each). We have both cable and dsl lines connected to balance traffic (however this does not work at all and is not my main concern right now).

  • Cisco Ironport appliance. This is the main gateway for our incoming and outgoing emails. This also has an external IP and internal IP.

  • Lotus domino in and out email servers connected to the mentioned Cisco gateway. These also have an external IP and internal IP.

  • Two windows 2003 and 2008 boxes running as domain controllers with DNS of course. These also have both an external IP and internal IP.

  • Website and web mail servers also on both external and internal IPs.

I am still confused as why there are so many servers connected directly to the internet. I am seriously looking to redesign this setup with proper security practices in mind (my highest concern) and am in need of a proper firewall setup for the external/internal servers along with a VPN solution about 50 employees. Budget is not a concern as I have been given some flexibility to purchase necessary solutions. I have been told Cisco ASA appliance may help.

Does anyone out in the Server Fault Universe have some recommendations? Thank you all in advance.

RSXAdmin
  • 157
  • 2
  • 11

2 Answers2

2

Yes, Cisco ASA will help. Also, setup the demilitarized zone (DMZ).

These things shouldn't normally have an external IP: Domino servers, AD controllers, web mail servers. I think employees should access them through VPN only.

If your AD controllers serve your DNS not only to the internal LAN, but also to the outside world (i.e. if they serve yourcompany.com to the whole Internet), change the setup: external DNS should be on separate machines, placed in DMZ.

kubanczyk
  • 13,812
  • 5
  • 41
  • 55
  • I couldn't agree more. The web mail server however is meant to be like OWA (outlook web access) where everyone in the company can login to check their e-mail anywhere. We currently do not host our own DNS servers outside. We use a DNS provider for domain names. – RSXAdmin Mar 14 '10 at 00:28
1

Step 1: Throw away the Linksys device. It's unlikely to be able to scale as you will require. (In my experience, the WAN link failover on this class of device is substandard) Replace it with a proper Cisco router. Or maybe a Juniper if you're so inclined. This way you'll get proper business / enterprise type routing and functionality. A proper support contract, and a device that wasn't assembled by moon monkeys.

Step 2: Get a proper hardware firewall. You could probably get away with a Cisco 5510 or similar device. They're good extensive firewalls, you can do as little or as much filtering as you like.

Step 3: Learn loads about proper routing and firewalling from your newly acquired hardware.

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148
  • Thank you sir. Are there any Cisco routers you would recommend? I very much do want to go Cisco. How do I go about the current satellite office setup where there is VPN tunneling from them to my HQ? – RSXAdmin Mar 14 '10 at 00:26
  • I'd recommend a 2811. It's a modular router, meaning you can put different line cards in to allow you to connect to different media. You can get a cable card, so you can abandon the cable modem, and an ADSL card, likewise. VPN should be trivial, depending what the satellite office has as their VPN endpoint. If you had a 2811 at the HQ, you could either have an identical device at the office, or terminate the VPN on a different device, such as a Cisco firewall, or 877 ADSL router. – Tom O'Connor Mar 14 '10 at 09:51