I’ve been evaluating our current firewall situation and came to the following conclusion: We have too many products from too many vendors costing too much money and causing too many headaches.

Currently, we use a Watchguard Firebox X700 for our internal network and DMZ. It’s fine when it works, but gets flaky sometimes. It will randomly stop passing FTP traffic, or you add a new rule and it won’t actually work until you reboot. Overall, I’m not impressed.

Inside the Watchguard sites a Barracuda Web Filter. I like this box - it works great and causes very few issues. They do silly stuff sometimes like adding Northpoint.org to the “Spam” category, but, overall, I’m happy.

For our public network, there is a Sonicwall Pro 3060 running Sonicwall’s own content filtering service. The Sonicwall is a nice box, but has it’s issues with occasionally locking up and other weird stuff. I’ve used them in the past and came to the conclusion that it’s a great small office firewall, but really not an enterprise-class solution. The yearly support cost plus the yearly content filter license gets expensive too.

For VPN, we use a Cisco ASA 5510. This replaced the Watchguard VPN (with is absolutely horrible) and provides VPN access for laptops and a few remote sites (5505’s at the remote sites). I love the ASA firewalls. They are rock solid on both stability and performance and, in my opinion, easier to configure. This is definitely a keeper. Ironically, of the three boxes, the Cisco has the lowest yearly support cost.

I’m sure there were good reasons for implementing each product at the time, but everything but the Cisco was here before my time, so I don’t know all the details.

In putting it all together, this is what I’m seeing:

• We’re paying for subscriptions to two different content filtering services - one for the internal network and one for the public network.
• We have support contracts with 3 different vendors.
• There are some stability problems.
• Learning curve involved with multiple products.

Most of those contracts are up for some renewal, so now is the time for change. My thought is to get another ASA 5510 use it’s multiple interfaces to attach the internet network, the DMZ, and the wireless to one firewall. Then, hang the Barracuda Web Filter off another interface and redirect all outbound http traffic to it via WCCP.

It seems almost two simple. Once firewall for all the network segments, one content filter for everything, one less piece of hardware, more stability. It just makes sense all around. If anyone has an thoughts on this, I’d love to hear them.

Tony made an interesting comment on my Remote Access Post from a few days ago. He has a good point, and I think it’s worth visiting. We do we give remote access to and from what computers. Is it a good idea to allow them access from their personal computers? I have had the same thought, and that is the primary reason I’m not already doing it. Here’s a few thoughts:

Generally, only a user with a church supplied laptop would be given VPN rights. If the user has been granted the right to log in via VPN, though, can I really control what machine they do it from? I really can’t. All they need is the Cisco VPN client and a few configuration details, so, in theory, a tech-savy user could access the VPN from any computer.

• Is it any different from a rogue computer being physically plugged into the network? No, it’s really not. Now, random machines being attached to the network is definitely not something I promote or desire. But, it would take very extreme measures and a lot of expense to stop it. 802.1x is a possibility, but, beyond that, it would require some sort of centralized MAC Address based authentication. This exists from a few vendors, but isn’t cheap. Bottom line is, it’s not easy or cheap to keep rogue machines out completely.
• Putting costs and implementation issues aside, what impact would it have on ministry to implement the above? Are there legitimate reasons for someone to attach a “rogue” machine to the network? In general, no, but there are some exceptions.
• We live in an increasingly “connected” and mobile society. Ministry is no exception. Increasingly, being on the cutting edge of technology is a requirement of our ministry. It is absolutely critical that we enable our staff to perform their duties without being physically present in the office.

So, with the above in mind, I’ve placed a greater focus on keeping our internal defenses in line. Here’s a few actions I’ve taken or plan to take:

• Windows firewall is enabled on all workstations via group policy and no programs are allowed to create exceptions. There are only a handful of ports allowed.
• This is a no-brainer, but centrally managed anti-virus is in place on all internal machines.
• SMTP is not allowed outbound from anywhere on the network, with the exception of our exchange servers. This limits the scope of damage should a machine with a mass-mailing worm show up on the network.
• Access to network file shares is very carefully controlled. User accounts do not have access to anything they do not specifically needs to access for their job function.

After putting a lot of thought into it, I’ve come to the conclusion that the benefits to allowing VPN access outweigh the potential negative impact of not allowing it. I would rather allow limited access via other methods of possible, which is why I’m exploring Terminal Services Web Access combined with RemoteApp. But, if for some reason the Terminal Services solution does not work out, I believe VPN is an acceptable fall-back.

I attended the Microsoft product launch event in Atlanta yesterday.  Been traveling all day today, so just not getting a chance to type up a post about it. Overall, it was a great experience.  Got to see and learn about lots of cool new features in Window Server 2008 that I haven’t had a chance to test yet.  Also talked to several interesting vendors.  Here’s a few random thoughts:

• Freebies are always nice.  I walked away with a full copy of Windows Vista Ultimate and limited or trial versions of several other products.
• Overall, the speakers were really good.
• The exhibit hall was like way crowded in the morning.  Hard to have a serious conversation with the vendors do to the number of people present.  Got a little better later in the day.
• Network access protection is interesting - can check certain aspects of a machine, such as antivirus and firewall status and only allow access to servers if certain criteria are met.  Optionally, traffic to servers containing sensitive data can be IPSec protected.  Awesome concepts, but I have a feeling it’s going to be difficult to manage and create headaches for users and IT staff.  I might play with it a bit if I can find time.
• TS RemoteApp is really nice.  We already have a couple of servers running it and will roll it out in our production environment really soon for Shelby and EMS.
• I really, really like Terminal Server Gateway and Web Access features.  Combined with RemoteApp, it seems like the perfect solution for users to access certain apps from their home computers.  Basically, the user logs into a web site and it presented with a Windows desktop looking screen with icons for apps and servers they can click to connect to.  All the traffic gets tunneled over SSL, which makes me less concerned than opening RDP to the outside.  It can also be hidden behind an ISA server (which we already use for remote Exchange access) for additional security.  I really think this is the answer to some of my remote access woes.
• I thought the web server session was boring.
• MS has come a long way with their virtualization products.  In my opinion, it’s still not up to par with VMware though.  There’s still no live migration ability.  There’s still a host OS involved (I think about how many times I have to reboot windows servers vs how I never have to reboot ESX).  There’s no way to resize a virtual hard disk (seems really odd to me, VMware has had this for years).  Give it a couple more years, and HyperV might be the way to go.  I’m not convinced yet though.

As we become more and more mobile remote access becomes more and more important.  It’s easy for people who have church-issued laptops.  We have a Cisco IPSec VPN that works great.

But, what about users without laptops who need access to certain apps and services?   There’s several options available, but I’m not convinced any of them are great:

• Connect to VPN and install apps (Shelby, EMS, etc) on home computer.  Obviously, this is very difficult to support and can be slow.
• Connect to VPN and Remote Desktop to their own computer.  I have a couple of users who do this now and it works.  Maybe it’s the best way to handle it since once they’re in, the experience is the same as at the office.  It usually requires a phone call to walk the user through the RDP setup, but it’s not too bad to deal with
• Terminal Services gateway.  I have reservations about opening any MS product up to the internet.  I guess it could be hidden behind an ISA server with RADIUS authentication - we already do this for OWA access to exchange.  Combined with WIndows 2008 RemoteAPP, this could be a very good option, especially since it wouldn’t require a VPN client.  May be a security concern.
• VPN client + RemoteApps - would be easy for the user - I just need to give them a couple of RDP files.  What about accessing Word, Excel, etc?
• Cisco WebVPN - this is cool because it allows the user to log into a web interface and access CIFS file shares.  A bit of a pain to setup and manage though, and doesn’t really allow for the user to access apps.
• VPN client + terminal server - eliminates need to RDP to a workstation, but user may need apps not available on the terminal server.

At this point, I’m kind of leaning toward just allowing users to RDP into their own workstation over a VPN connection.  Anyone have any better ideas?