No announcement yet.

Cisco 1811 Dual Wan, SBS2008 and Extranet

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 1811 Dual Wan, SBS2008 and Extranet

    This is my equipment:
    1. SBS 2008 premium running on Hyper V
    2. Network connected to Level 3 Switch (No VLAN)
    3. Physical server running Windows 2008STD used as Extranet with Sharepoint services 3.0
    4. Cisco 1811 Router with 2 ADSL links
    This is want I want to achieve:
    1. Internet access for the LAN using feth0 (DSL0) - failover to feth1 (DSL1) for redundancy.
    2. SBS remote access, SMTP server, using feth0.
    3. LAN access to the Sharepoint (Extranet) server (https)
    4. WAN access to the Sharepoint (Extranet) server through feth1 (DSL1).
    1. Do I have what it takes to do want I want and maintain good security?
    2. If no, what is missing?
    3. If yes, what are your suggestions?
    Thanks for your help

  • #2
    Re: Cisco 1811 Dual Wan, SBS2008 and Extranet

    Hi Thomas,

    You haven't really detailed your intended security plan.

    You have the correct equipment to establish a cost effictive security solution for a small branch office but not on a larger scale with multiple layers of security.

    I would recommend the follwing as a baseline which you can build upon:

    Switch infrastructure:
    1) Use secure management access
    2) Secure STP using root guard and bpdu guard
    3) Guard against VLAN hopping and Double tagging by disabling native VLAN and dynamic ports
    4) Configure port security to prevent MAC spoofing
    5) Enable DHCP snooping and ARP inspection
    6) Create a secure VLAN for unused ports

    For the 2811 I would suggest that you seperate your network off by having a public, DMZ and private interface. You can then implement Zone Based Firewalls to protect your infrastructure.

    Obviously you would need to keep your OS patches up to date and disable unnecessary services on the servers, switches and router. For remote access you would want to use some sort of secure VPN like IPSec etc.

    That should give you a good security baseline but if you had the funds available then you could look at things like NAC, IDS, IPS etc..

    Are you looking at Logging and SNMP too?
    Infrastructure Architect
    CCNA, CCNA Security, MCSE, JNCIS


    • #3
      Re: Cisco 1811 Dual Wan, SBS2008 and Extranet

      Thanks for your reply,

      I had not even thought about secureing my switches yet! I will get to that thanks.

      This is for a small office (25 users) + about 10 to 15 Extranet users.

      I was first worried about the operational aspects of the implementation and the locking down would come after.

      I am looking at a basic security setup, implying all patches - services - ports and outgoing/incoming firewall inspection.

      My issues are:
      1. Cisco 1811 dual wan config
        • Maintain incoming trafic separation between eth0 and eth1
        • Possibility to redundancy for outgoing trafic.
      2. I cannot use DMZ because my Extranet server is also used for DFS and SQL.
        • So can I secure HTTPS only communications between my Router and 1 interface while keeping LAN for SQL and DFS on another?
      Thanks again for your good advice