Hi, as system administrator of the company I work in, I have to deploy a secure network and enable VPN access to a remote office and to some VPN clients. At our office we have a DSL conection to the internet, so my idea is to get a DSL modem, and connect it to the first network card of a Windows 2K3 based server with ISA server as firewall and DHCP server for the internal LAN, so a Switch will be connected to the second network card of the ISA Sever, in order to deploy the internal LAN. So my question is if this planning is good, or you would recommend a better solution like using a DSL router with VPN options or some other stuff? In our office we have about 20 users in the internal LAN, and we will be getting just about 10 VPN users, 5 from the other office, and 5 that will access from their laptops from different places. I already tested a L2TP conection mode with certificates, so we will be using this kind of access. With this method I think our resources will be safe from external unathorized access. Some users in our internal LAN would like to have wireless access to the LAN and internet, is it enough with adding a access point to the switch?? Also I would like a recomendation for protecting our resources from viruses, worms and other malware, is it better to buy a integrated solution or independent software for each type of malware?, I would like to manage the software from a single console, what you think about the mcafee and Symantec enterprise solutions?.. Thanks for your help..

I can't argue with ISA as a solution, other than the cost factor. You have very few users compared to how much an ISA solution would be. However, ISA would allow you to tightly regulate what resources VPN users would be allowed to access. Not to mention ISA arguably provides the best protection for Windows servers and clients. I would look at HP's ISA server solution, which is an HP server with Windows 2003 with ISA Standard bundled on it for a reduced cost. It's still the full version of each. As far as malware is concerned, the problem with integrated solutions like Symantec is concerned is I quite honestly don't think Symantec products provide good protection against spyware and adware compared to the likes of Ad-Aware. So it's kind of hard to recommend them if you want real protection. Consider also doing the other things to secure your network that don't cost money in software. For example, do you have a WSUS server to patch all your clients? Do you audit them to ensure the latest patches are installed using MBSA? Do you have scripting disabled for their browsers aside from allowed sites? If possible, is hardware DEP enabled using OptOut mode? Are users running under limited accounts on the machine and not admins? If you make sure those things are done, not that eliminates the need for a good AV, and anti-malware app, but it prevents most problems from happening in the first place. "Enough, enough bowing down to disillusion! Hats off & applause to rogues & evolution! The ripple effect is too good not to mention. If you’re not affected, you’re not paying attention!"

Hi.. thanks for ur answer. I forgot to mention that our company is a Microsoft Partner, so we get all the software free of charge, so we don't have any problem in getting MS software. About the malware, I'll take ur advice and make sure I implement all the solutions you gave me, but anyway I would like to install some antivirus and antimalware software for networks, in case our employees open any infected mail or something, because they use our ISP mail and also they use MSN and hotmail at work.. :) I know this doesn't look good in a corporation, but I can't do anything to restrict the usage of MSN, as my boss also uses it.. I would like a piece of software I could manage from a single station, and keep it up to date. Also auditing is a very interesting thing, I think MBSA is only for a single workstation, is there any auditing software to control all the machines in the domain from my console? I would like some advice about the correct equipment to get for the DSL and to provide Wireless access to out employees also please.. Thanks again..

"I forgot to mention that our company is a Microsoft Partner, so we get all the software free of charge, so we don't have any problem in getting MS software." By all means, go for ISA 2006 then. As for AV/anti-malware, what I was saying is I don't like any product currently available as a complete solution to protect against viruses and spyware/adware. There are plenty of good antivirus software packages out there if you want virus protection. Personally, I don't see much difference between any of those as far as protection is concerned. Symantec protects as well as McAfee, which protects as well as Grisoft, etc. What I do see a difference in is how much system resources each take up. I like Grisoft's products over Symantec and McAfee for this very reason. They use far less system resources. However, IMO, Symantec is a little easier to manage over an entire network than Grisoft. The interface is easier to use, etc. "our employees open any infected mail or something, because they use our ISP mail and also they use MSN and hotmail at work.. :) I know this doesn't look good in a corporation, but I can't do anything to restrict the usage of MSN, as my boss also uses it.." With ISA, you can let your boss do it, and prevent others. :-) "I think MBSA is only for a single workstation, is there any auditing software to control all the machines in the domain from my console?" Incorrect. MBSA can scan single machines, network ranges, and entire domains from a single workstation or server, not to mention a listfile using the command line version. There is also a free plug in for Visio that allows you to conduct scans and embed MBSA reports within the Visio diagram. It is freely available from the MBSA download page from Microsoft. If you do use MBSA to do IIS vulnerability checks from an XP machine, simply install the IIS common files component on the XP machine to enable it to do this as well. For wireless, it really depends on how much security you want. I would say the minimum security is a WAP with WPA-PSK encryption enabled. However, preshared keys need to be changed frequently and distributed, so the more machines you have, the harder this is to manage and easier the PSK gets compromised. You could do stuff like use Radius servers, certificates, etc. to try to help reduce the likelihood of network breach from compromising the key. You also should consider for additional security what kinds of network access should wireless users have, and limit it to only that by segmenting the wifi network from the rest using a firewall, such as your ISA server you're looking to implement. You would simply add a third NIC and define it as the the interface to a Wireless Network object. For example, if wifi users only need to surf the internet, then completely block all access from the wifi network to the internal network. That way, even if the wifi network is breached, your internal network faces no threat from that. "Enough, enough bowing down to disillusion! Hats off & applause to rogues & evolution! The ripple effect is too good not to mention. If you’re not affected, you’re not paying attention!"