setting up an ftp/mail/web server within a network

[NorthShoreRob]

I am trying to setup an ftp/mail/web server in my office.

My office network is currently set up like this:
INTERNET>CABLE_MODEM>NETGEAR_WIRELESS_ROUTER>NETOPIA_ROUTER>NETGEAR_SWITCH>OFFICE_NETWORK

My concern is the security of the information on the file server and all computers on the network. I was thinking of adding the servers(web/ftp/mail) between the NETGEAR_WIRELESS_ROUTER and the NETOPIA_ROUTER but was told that if I had the servers setup like that I would still be vulnerable to intruders from the outside. I was also told that I should purchase a better firewall ($1000 sonicwall) and then host the servers behind it along with the network and I should be fine, that sounds like basically the same thing to be but just a little higher priced firewall, unless this firewall has security features my current router doesnt. Can anyone tell me if this is secure enough? I dont recall the model for the firewall but I believe it has VPN capabilities also which I would eventually like to setup. What would be needed to run a VPN? and how do I setup other computers to have access through the VPN tunnel to see my network?

I am trying to find sites that explain VPN's and network/internet security, if you know of any sites please link me up, in the meantime i'll be searching.

Thank you,
Rob

 

[mboy]

I would def. reco upgrading to a better firewall that has true DMZ feature. You will want to host the publicly accessible servers (like the web and email servers) on the DMZ (seperate subnet form the WAN and LAN subnets (it's own 3rd subnet basically) and LOCK the servers down hard. This way, if the email server gets compromised in anyway, they will still have to break thru the firewall to get to the LAN. If you host them like u have it set now and start allow outside access to those services, once the box is compromised (much easier since u have to allow public servers to recive traffic thru various ports from the 'net), your LAN will be compromised.

This is not really something for the novice and doing it at home is one thing, but if you are doing it for a business who relies on it to make $$$ and can not afford any downtime, I would do A LOT more research into it.

A sonicwall or PIX has a tremendous amount of features and is MUCH more secure then the wireless router you are using now. Their is a reason why enterprise class firewalls with endpoint 3des VPN, TRUE dmz, etc cost A LOT more then the SOHO stuff.

Also, running that wireless is pretty damn insecure in itself. What is it used for?

You might want to think of using VPN for your wireless access users if the info they are transmitting is business related/mission critical.

 

[NorthShoreRob]

Our office network was setup exactly how I listed above except the NETGEAR_WIRELESS_ROUTER. When we have consultants come into the office they were complaining that they couldn't access their VPN through our firewall so we added the wireless outside of our Netopia Router. We have about 3 staff members using the wireless connection to get onto our server and consultants use it to access the internet.

Thanks the advice mboy!

 

[mboy]

Depending on what they are using for VPN, either the VPN client could not traverse NAT or your router is not capable of or is not configured to allow IPsec pass thru.