A DMZ uses all the same security features as the inside trusted network. Traffic from the DMZ to the inside is blocked by default, and only traffic you allow through will be permitted. A DMZ uses NAT, PAT and ACL’s, just like your external interface.

BTW, I have to disagree with the previous comments on Linksys. Linksys makes really good SOHO equipment for the cost. And they are only owned by one company.

That company is Cisco Systems.

Chris Weber
Layer9corp.com

Router two is connected to the DMZ port on the router connected to the WAN?

I understand that DMZ means less or no protection, but does that mean no NAT and no port filtering?

Regards,

Well I have your specific router with updated firmare and features still don’t work as advertised after 2.5 years. I suggest that would complicate debugging and configuring. Netgear brand is still cheap but also reliable. And yes whoever you hang off the DMZ will have decreased protection. That is what DMZ generally means and the low end firewalls tend to take that to heart. But a second firewall would fix that.

Yes I’ve hooked the WAN port of one cheap firewall to another. No problems IF you careful track port forwarding and NAT effect forwards and backwards. Bookkeeping and flow diagrams are everything.

I’d tend to avoid exposing the SBS server to the Internet as a normal port 80 HTTP webserver myself. All the important business stuff is likely on the SBS and all the worse breaches tend to involve webservers. Forwarded SMTP ports are fairly safe with good AV and SPAM software for Exchange. Unfortuantely that means you don’t get webmail off Exchange if its web port isn’t exposed. Of course I’ve also seen port forwarding, offbeat HTTP ports and mandatory HTTPS used to advantage there as well.

So if you have separate webserver(s) I’d put it on the first firewall DMZ in case it gets infected. That does mean you’d need a switch or hub to connect the second firewall as well to that DMZ port. Those webserver can also be a hunk of junk workstation if it doesn’t get many hits and doesn’t pass out big files. Also depends some on how critical the webserver going down is (hardware reliability).

That was good advice on the gateway SMTP box to forward mail. There is lots of fair quality freeware as well. You can run AV or SPAM protection on it if it has enougn spare horse. But maybe as importantly you can run a simple web page to redirect webserver traffic.

You could even page redirect HTTP requests to offbeat webserver ports like 81 instead of 80 on two other webservers. But you risk some clients having company proxies that don’t allow offbeat ports. Or that webserver could pull pages from the two companies webservers — but I suggest that is too complex.

Offsite hosting still sounds best for one company. If it doesn’t have many pages and doesn’t get too many hits offsite hosting might even be free for a while. Ask your ISP and search the Internet. There are plenty of places wanting to train you to like their hosting while your company grows. They hope eventually you will grow until you must and can pay.

Here’s a link to help you out on IIS6.0.:
http://technet2.microsoft.com/WindowsServer/en/Library/b5999267-fc46-4430-a6af-e0b483886c8a1033.mspx
Here’s the apache link:
http://httpd.apache.org/docs/2.0/vhosts/examples.html

You could probably also host them on different servers, but you need intelligent hardware to route the requests to the proper server, such as a load balancer.

Wayne

Another option would be to use an SMTP mail gateway with 2 mail servers,(a good idea anyway). The gateway would act as a single entry point to your network for SMTP traffic.

The gateway will hand off mail to both your mail servers.You’d need a server (can install server on an old PC if you want) for the gateway and you need some SMTP gateway software. Symantec makes a good product for small companies. A company your size could purchase the software for around 200 dollars.

Chris Weber
Layer9corp.com

Mail needs to come in via ‘SMTP’, at the firewall you would configure port forwarding for any traffic coming to the firewall on port 25 to be sent to the mail server. To do a second email server, you need a second IP address. Same with web traffic, you would port forward port 80 to the web server. Both of those servers could be the Small Business Server.

According to the documentation at Linksys the BEFSX41 has one jack that can be configured to be a DMZ port. I don’t know how restricted they are on traffic through that port to the internet, and to the other network. port.

Yes, I’m no network expert, but I have to improve – or know my limits.

Thanks to all of you for all the advice, I’m truely gratefull.

Equipment aside, as you’ve had a lot of good advice on what to purchase, what type of DSL line is it; ADSL or SDSL? What are your up/down speeds if it’s ADSL?

You mentioned hosting a website and email servers on the connection. The email server should be fine unless you’re getting a ton of email in, but the webserver could run slow if you have a slow up speed on ADSL. Considering the sizes of these companies, it’s probably not going to be a problem right now, but if they have considerable growth, an ADSL with 7.1MBps down/768Kbps up won’t cut it if that’s what you have.

Just food for thought.

Wayne

In a very simplistic explanation, Layer 2 is your local connections, LAN connections that is. Now this is not true for Telco services like ATM and Frame, but for your purposes think of it as MAC’s talking.

Layer 3 is your Routable Layer. Thats where your IP’s come in, what you need to get out to the WWW. Your switch can’t tell you how to get there. Only the router can.

As for the VLAN’s, your really getting out of your realm here, since you don’t have a working knowledge of Layer 2 or 3, but suffice it to say you need to route your VLAN’s. You can’t get out of your VLANS without a Layer 3 interface sitting on them. On all of them, in your case thats two.

So you need to have 2 Linksys routers, or you MIGHT be able to route the DMZ interface on the Linksys router for one of the VLANS, although I can honestly say I’ve never had to try that.

Best case scenario for your budget is 2 Linksys routers, route the subnets at layer 3, buy a another cheap switch if you need it or use the 4 ports on the back of the Linksys if thats all the hosts you have, and just route the subnets at Layer 3.

In other words, forget routing VLAN’s, as thats more complicated than you need. If you need to buy another cheep switch at CompUSA.

Chris Weber
Layer9corp.com

Need more info?

Is the DMZ like an open hole through the router/FW? Can a second router be connected to the DMZ?

Then maybe the SBS can be connected to the DMZ and work as a FW (NAT)?

I’d like to use the Dell PowerConnect, but have no experience with VLANS.

Regards,