Off topic (firewall)

Dan,

Setting up a firewall would be nice. But from my experience the bigger risk
is from email based viruses.

For my nickel I'd first make sure you have a virus checker linked to your
email server and to your client PC's with up to date signature files. Then
I'd consider the firewall issue. The problem with the firewall issue is
finding an effective firewall product for such a small company.

The three major firewall products that I'm aware of are:

1) Cisco makes a very fast firewall box called the "PIX" ... but the "Baby
PIX" unit is around $ 5,000 and a standard PIX unit is closer to $ 10,000.
These prices are for hardware/software ONLY and do not include
implementation.

2) RAPTOR is another highly rated firewall product. Figure approx $
4,000-$ 5,000 for software plus $ 2,000 for a box plus implementation.

3) Checkpoint software. Figure approx $ 5,000 for the software plus $
2,000 for the hardware ... plus implementation.

Of the three the PIX box is the fastest, Checkpoint is normally second, and
RAPTOR is third.

Then you have all the smaller packages, many of which are LINUX based or
router based NAT/Firewalls. A number of these products are legit. The
problem is that unless you know what you are doing they are not a slam dunk
to setup.

No matter how you slice it none of these products are "Plug and Play" for a
novice computer person to setup so you end up hiring a consultant to setup
the box and it seems like every consultant has their own "Favorite" for a
firewall product.

My advice ? Find a larger, reputable consulting firm with lots of installed
customers and multiple technicians on staff and avoid the one man shops for
this kind of product. Whether you spend $ 1,000 or $ 5,000 for the software
+ Hardware what has the potential for costing you the most money is the
consultants fees. By going with a larger firm if your technician drops
dead or finds a new job there will be someone else on staff who can step in
and take care of things.

Personally, for a small company ... I would call a Gold or Silver level
CISCO dealer and get a price on (1) a router based solution and (2) a PIX
based solution. They can pre-configure the box and send it to you and if
there are any problems they can dial in on a backup modem line and
reconfigure the box without having to be onsite. You may pay more for the
hardware up front but in the long run you will probably pay less in
consulting fees.

Good Luck

Todd Anderson

-----Original Message-----
From: Dan Shallbetter [mailto:dans@...]
Sent: Monday, December 04, 2000 11:44 AM
To: 'vantage@egroups.com'
Subject: RE: [Vantage] Off topic (firewall)


Todd as I understand it we get out to the internet through our old 56k dial
up connection to a local ISP. The ISP dial-up server type is a PPP running
TCP/IP network protocol. Is this the info you were aftr?

Dan Shallbetter

-----Original Message-----
From: Todd Anderson [mailto:tanderson@...]
Sent: Monday, December 04, 2000 11:15 AM
To: 'vantage@egroups.com'
Subject: RE: [Vantage] Off topic (firewall)


Dan,

Before I give you an answer to this question ...

Specifically how are you connecting to the Internet ?

Todd Anderson


-----Original Message-----
From: Dan Shallbetter [mailto:dans@...]
Sent: Monday, December 04, 2000 8:48 AM
To: 'Vantage@...'
Subject: [Vantage] Off topic (firewall)



Looking for some advise. We are a very small company running Small Business
Server 4.5. We use a dial up connection for internet connection and also to
retrieve our e-mail. We do not host a web page. Do I need a firewall? Or can
proxy be configured to provide adequate protection? What are my exposures I
need to worry about? What do others use?

TIA
Dan Shallbetter
States Electric Mfg.





[Non-text portions of this message have been removed]



eGroups Sponsor

<http://rd.yahoo.com/M=102308.1038796.2731130.908943/D=egroupmail/S=17000071
83:N/A=466331/?http://www.yahoo.com> Click Here!

We no longer allow attachments to files. To access/share Report Files,
please go to the following link: http://www.egroups.com/files/vantage/
<http://www.egroups.com/files/vantage/>
(Note: If this link does not work for you the first time you try it, go to
www.egroups.com, login and be sure to save your password, choose My Groups,
choose Vantage, then choose Files. If you save the password, the link above
will work the next time you try it.)

Looking for some advise. We are a very small company running Small Business
Server 4.5. We use a dial up connection for internet connection and also to
retrieve our e-mail. We do not host a web page. Do I need a firewall? Or can
proxy be configured to provide adequate protection? What are my exposures I
need to worry about? What do others use?

TIA
Dan Shallbetter
States Electric Mfg.

Dan,

Before I give you an answer to this question ...

Specifically how are you connecting to the Internet ?

Todd Anderson


-----Original Message-----
From: Dan Shallbetter [mailto:dans@...]
Sent: Monday, December 04, 2000 8:48 AM
To: 'Vantage@...'
Subject: [Vantage] Off topic (firewall)



Looking for some advise. We are a very small company running Small Business
Server 4.5. We use a dial up connection for internet connection and also to
retrieve our e-mail. We do not host a web page. Do I need a firewall? Or can
proxy be configured to provide adequate protection? What are my exposures I
need to worry about? What do others use?

TIA
Dan Shallbetter
States Electric Mfg.



eGroups Sponsor

<http://rd.yahoo.com/M=102308.1038796.2731130.908943/D=egroupmail/S=17000071
83:N/A=466330/?http://www.yahoo.com> Click Here!

We no longer allow attachments to files. To access/share Report Files,
please go to the following link: http://www.egroups.com/files/vantage/
<http://www.egroups.com/files/vantage/>
(Note: If this link does not work for you the first time you try it, go to
www.egroups.com, login and be sure to save your password, choose My Groups,
choose Vantage, then choose Files. If you save the password, the link above
will work the next time you try it.)

Todd as I understand it we get out to the internet through our old 56k dial
up connection to a local ISP. The ISP dial-up server type is a PPP running
TCP/IP network protocol. Is this the info you were aftr?

Dan Shallbetter

-----Original Message-----
From: Todd Anderson [mailto:tanderson@...]
Sent: Monday, December 04, 2000 11:15 AM
To: 'vantage@egroups.com'
Subject: RE: [Vantage] Off topic (firewall)


Dan,

Before I give you an answer to this question ...

Specifically how are you connecting to the Internet ?

Todd Anderson


-----Original Message-----
From: Dan Shallbetter [mailto:dans@...]
Sent: Monday, December 04, 2000 8:48 AM
To: 'Vantage@...'
Subject: [Vantage] Off topic (firewall)



Looking for some advise. We are a very small company running Small Business
Server 4.5. We use a dial up connection for internet connection and also to
retrieve our e-mail. We do not host a web page. Do I need a firewall? Or can
proxy be configured to provide adequate protection? What are my exposures I
need to worry about? What do others use?

TIA
Dan Shallbetter
States Electric Mfg.





[Non-text portions of this message have been removed]

Dan:

Actually I have a question or two...

Do you run Small Business Back Offic Server 4.5 on a seperate server
from the one running Vantage? Or are they both running on one server?
Either way, do they both co-exist without making you nuts? I'm ready to
buy a server and add SMBOS to eliminate our dial-up/modems/POTS nonsense
and am very interested in your experiance so far. How many people, PCs,
etc. ?

Anything you can contribute...

Thanks a million (TAM) !!!

Rick Gors
MIS
Osco

Dan Shallbetter wrote:

>
> Looking for some advise. We are a very small company running Small Business
> Server 4.5. We use a dial up connection for internet connection and also to
> retrieve our e-mail. We do not host a web page. Do I need a firewall? Or can
> proxy be configured to provide adequate protection? What are my exposures I
> need to worry about? What do others use?
>
> TIA
> Dan Shallbetter
> States Electric Mfg.
>
>
> We no longer allow attachments to files. To access/share Report Files, please go to the following link: http://www.egroups.com/files/vantage/
> (Note: If this link does not work for you the first time you try it, go to www.egroups.com, login and be sure to save your password, choose My Groups, choose Vantage, then choose Files. If you save the password, the link above will work the next time you try it.)

We use the Small Business Back Office Server 4.5 and have had no
problems with it since it was installed in August 1999. We have one
server with dual mirror image hard drives. We currently have 14 regular
users, plus 4 data collection locations. I'm not an expert on our
internet connections, but we do connect to a local ISP server which I
believe we use as our firewall. SBBO handles internal e-mail internally
and we have a continuous dial-up to the ISP server so we have instant
access to the internet. Our ISP gave us a web site/page location which
was just a static location (you don't need to construct a web page) for
receipt of external e-mails. Now we have just developed a web page
ourselves instead of paying a third party thousands of dollars to do so.

Steve

-----Original Message-----
From: rgors [SMTP:rgors@...]
Sent: Monday, December 04, 2000 1:01 PM
To: vantage@egroups.com
Subject: Re: [Vantage] Off topic (firewall)

Dan:

Actually I have a question or two...

Do you run Small Business Back Offic Server 4.5 on a seperate
server
from the one running Vantage? Or are they both running on one
server?
Either way, do they both co-exist without making you nuts? I'm
ready to
buy a server and add SMBOS to eliminate our dial-up/modems/POTS
nonsense
and am very interested in your experiance so far. How many
people, PCs,
etc. ?

Anything you can contribute...

Thanks a million (TAM) !!!

Rick Gors
MIS
Osco

Dan Shallbetter wrote:

>
> Looking for some advise. We are a very small company running

Small Business

> Server 4.5. We use a dial up connection for internet

connection and also to

> retrieve our e-mail. We do not host a web page. Do I need a

firewall? Or can

> proxy be configured to provide adequate protection? What are

my exposures I

> need to worry about? What do others use?
>
> TIA
> Dan Shallbetter
> States Electric Mfg.
>
>
> We no longer allow attachments to files. To access/share

Report Files, please go to the following link:
http://www.egroups.com/files/vantage/

> (Note: If this link does not work for you the first time you

try it, go to www.egroups.com, login and be sure to save your password,
choose My Groups, choose Vantage, then choose Files. If you save the
password, the link above will work the next time you try it.)

-------------------------- eGroups Sponsor

We no longer allow attachments to files. To access/share Report
Files, please go to the following link:
http://www.egroups.com/files/vantage/
(Note: If this link does not work for you the first time you
try it, go to www.egroups.com, login and be sure to save your password,
choose My Groups, choose Vantage, then choose Files. If you save the
password, the link above will work the next time you try it.)

One place to review a multitued of firewall programs, (and to try them out )
is the following Url. http://hotfiles.zdnet.com/
ZDNET is now TECHTV. Techtv is a cable network devoted strictly to
computers and the Internet. http://techtv.com is the home page. This web
page is a content rich resource of computer information for ALL levels of
computer expertice. When you get to the hotfiles site do a search on
FIREWALLS. You'll get a list of 50 or so different products. Some free
some not. Also by going to the Cyber Crime area from the main TechTv page
and you can get some good information on current crimes and vulnerability.

Shirley Graver
Rubber Associates Inc.
Cleveland/Akron


[Non-text portions of this message have been removed]

If I may I'll toss in my 2 cents for this thread. We are running BackOffice
SBS 4.5 on a seperate server form our Vantage server. They co-exist OK but
for growth reasons I want to migrate to regular NT. The only BackOffice
service we are using is Exchange and perhaps in future IIS for Crystal Web
reports so the choice is cost for adding 25 more users to SBS versus ala
carte NT. SBS is OK but very limiting for number of users and some
features. It also restricts you to one domain.

We too Internet connect via a dial-up (PSINet LANDial 56K). SBS has not
been a factor since both systems talk to a router which acts as a gateway.
I am slowly abandoning Proxy Server due to large number B-2-B sites that
won't operate thru Proxy Server. I used to think that the rotating IP
address at the ISP end and some filtering there protected us from outside
access but that is not the case. I have had several security log events for
failed logins from outside sources and other domains. I looked up one via
WHOIS and got an email address and contacted them and they had no idea. In
fact it was at an hour when their office was empty. Sounded like a security
issue for them too and maybe somebody was co-opting their PC to probe
elsewhere. Very scary.

PSINet is ending LANDial in a few weeks so we will switch to some fraction
of a T1 on a permanent connection and are planning to implement Firewall
hardware at that time. Hopefully we will be off SBS by summer and on a new
server running straight NT + Exchange. If I had to do it again and knew we
would outgrw it I would not have used SBS.

-Todd C.
Harvey Vogel Mfg. Co.

-----Original Message-----
From: rgors [mailto:rgors@...]
Sent: Monday, December 04, 2000 12:01 PM
To: vantage@egroups.com
Subject: Re: [Vantage] Off topic (firewall)


Dan:

Actually I have a question or two...

Do you run Small Business Back Offic Server 4.5 on a seperate server
from the one running Vantage? Or are they both running on one server?
Either way, do they both co-exist without making you nuts? I'm ready to
buy a server and add SMBOS to eliminate our dial-up/modems/POTS nonsense
and am very interested in your experiance so far. How many people, PCs,
etc. ?

Anything you can contribute...

Thanks a million (TAM) !!!

Rick Gors
MIS
Osco

Dan Shallbetter wrote:

>
> Looking for some advise. We are a very small company running Small

Business

> Server 4.5. We use a dial up connection for internet connection and also

to

> retrieve our e-mail. We do not host a web page. Do I need a firewall? Or

can

> proxy be configured to provide adequate protection? What are my exposures

I

> need to worry about? What do others use?
>
> TIA
> Dan Shallbetter
> States Electric Mfg.
>
>
> We no longer allow attachments to files. To access/share Report Files,

please go to the following link: http://www.egroups.com/files/vantage/
<http://www.egroups.com/files/vantage/>

> (Note: If this link does not work for you the first time you try it, go

to www.egroups.com, login and be sure to save your password, choose My
Groups, choose Vantage, then choose Files. If you save the password, the
link above will work the next time you try it.)


eGroups Sponsor

<http://rd.yahoo.com/M=102308.1038796.2731130.908943/D=egroupmail/S=17000071
83:N/A=466330/?http://www.yahoo.com> Click Here!

We no longer allow attachments to files. To access/share Report Files,
please go to the following link: http://www.egroups.com/files/vantage/
<http://www.egroups.com/files/vantage/>
(Note: If this link does not work for you the first time you try it, go to
www.egroups.com, login and be sure to save your password, choose My Groups,
choose Vantage, then choose Files. If you save the password, the link above
will work the next time you try it.)




[Non-text portions of this message have been removed]

Dan,

In absolute terms a proxy will not provide the security you
should be looking for. A firewall running on a machine
separate from your other servers will provide the best
protection.

That said, the fact that you are running dial-up connection
with most likely a dynamic IP address certainly minimizes
the risk of an intruder targeting your site specifically.
You are however prone to intrusion from attackers-of-
opportunity - those who look for random unsecured networks.

Proxies are not the best option because proxies themselves
can be unsecure and therefore prone to co-opting or hacking.
The good news is that you no longer have to spend $10K on a
hardware firewall - a decent one can be had for about $500
that will support 5-10 users. Most of these types are running
on customized hardened operating systems (Linux, BSD and
sometimes NT) that are more resistant to hacking and in most
cases will fail-closed in the event of a DOS attack that they
cannot handle.

The limitation with the less expensive hardware firewalls is
that they really slow down when you have more than a dozen or
so people using the connection. If you are at about 20 users
and looking to grow, you should probably spend about $4K
for a more powerful firewall.

Personal firewalls, such as those that Shirley mentioned, are
a great tool for computers which have an individual connection
to the internet and that are not otherwise protected by a
hardware or network firewall (and please never ever ever
believe your ISP when they tell you that your connection is
protected by their firewall).

Good low- to mid-price firewalls:

http://www.watchguard.com

http://www.sonicwall.com


have fun,
John

> -----Original Message-----
> From: Dan Shallbetter [mailto:dans@...]
> Sent: Monday, December 04, 2000 6:48 AM
> To: 'Vantage@...'
> Subject: [Vantage] Off topic (firewall)

Rick Yes I am running SBS And Vantage on the same server (Dell 2300 Dual
500 processors, 512meg ram, Raid 5, 27 gigs of disk space) I have 19
Vantage users, 1 data collection, my old Unix box and NT voice mail server
are connected to it as nodes. We have been running since March of 98. We
started with SBS 4.0 and upgraded to SBS 4.5 with in a year. The SBS upgrade
required me to also upgrade Seagate Backup Exec and also Inoculan. I've had
some stability problems (corrupted device drivers,and others) that I'm told
are fairly normal for NT.( I guess I took my Unix box for granted). I was
just out at Comdex (ok I just happen to be in Las Vegas at the same time)
Microsoft gave me a beta version of SBS 2000 (who are they trying to kid
been there and done that thank you very much!!!) They could not confirm a
definite commercial release date. But you might want to explore that.
Overall I would say SBS has worked out well for us. We went that way
initially because we wanted a bundled turnkey solution. We came from a dumb
terminal environment and none of us have any formal IS training. Feel free
to contact me directly if I can be of further assistance.


Dan Shallbetter


-----Original Message-----
From: rgors [mailto:rgors@...]
Sent: Monday, December 04, 2000 12:01 PM
To: vantage@egroups.com
Subject: Re: [Vantage] Off topic (firewall)


Dan:

Actually I have a question or two...

Do you run Small Business Back Offic Server 4.5 on a seperate server
from the one running Vantage? Or are they both running on one server?
Either way, do they both co-exist without making you nuts? I'm ready to
buy a server and add SMBOS to eliminate our dial-up/modems/POTS nonsense
and am very interested in your experiance so far. How many people, PCs,
etc. ?

Anything you can contribute...

Thanks a million (TAM) !!!

Rick Gors
MIS
Osco

Dan Shallbetter wrote:

>
> Looking for some advise. We are a very small company running Small

Business

> Server 4.5. We use a dial up connection for internet connection and also

to

> retrieve our e-mail. We do not host a web page. Do I need a firewall? Or

can

> proxy be configured to provide adequate protection? What are my exposures

I

> need to worry about? What do others use?
>
> TIA
> Dan Shallbetter
> States Electric Mfg.
>
>
> We no longer allow attachments to files. To access/share Report Files,

please go to the following link: http://www.egroups.com/files/vantage/
<http://www.egroups.com/files/vantage/>

> (Note: If this link does not work for you the first time you try it, go

to www.egroups.com, login and be sure to save your password, choose My
Groups, choose Vantage, then choose Files. If you save the password, the
link above will work the next time you try it.)


eGroups Sponsor

<http://rd.yahoo.com/M=102308.1038796.2731130.908943/D=egroupmail/S=17000071
83:N/A=466330/?http://www.yahoo.com> Click Here!

We no longer allow attachments to files. To access/share Report Files,
please go to the following link: http://www.egroups.com/files/vantage/
<http://www.egroups.com/files/vantage/>
(Note: If this link does not work for you the first time you try it, go to
www.egroups.com, login and be sure to save your password, choose My Groups,
choose Vantage, then choose Files. If you save the password, the link above
will work the next time you try it.)




[Non-text portions of this message have been removed]

Dan,

You absolutely need a firewall if you're dialing up your isp from your
SBS 4.5 box. Microsoft is *NOTORIOUS* for their security gaffs. Hardly
a week goes by that doesn't have yet another security hole revealed.
And don't think that they fix these security holes when they're found.
In fact they refuse to fix many of them... they've even stated so on their
website many times.
If you think you're safe because you're not connected 24/7 you're wrong,
it doesn't take long to break into a system.

My advice: don't use your SBS 4.5 server for dial-up, buy another
pc & use that. For example, we use LINUX on it's own hardware & run
ipchains (firewall) & ipmasq (nat), sendmail (email server) & apache
(web server). We also log all ip traffic & analyze the logs daily.

Whatever you do, don't expose your production server to the internet
because it's your most valuable (data) asset & your greatest expense
if it were to get corrupted.



At 08:48 AM 12/4/00 -0600, you wrote:

>Looking for some advise. We are a very small company running Small Business
>Server 4.5. We use a dial up connection for internet connection and also to
>retrieve our e-mail. We do not host a web page. Do I need a firewall? Or can
>proxy be configured to provide adequate protection? What are my exposures I
>need to worry about? What do others use?
>
>TIA
>Dan Shallbetter
>States Electric Mfg.
>