Windows 2003 linking 2 networks - security

[gazzak]

Hi folks,

I have 2 networks. One is our test network, the other is the corporate live network. The 2 networks are seperate.

I have a windows 2003 server that has 2 NIC's installed, and I would like this to have 1 NIC connected to the test network, and the other NIC connected to the live network. This is all above board and the company wants this.

My problem is this, I require all test network pc's to access the internet through the 2003 server and live network, but ONLY have port 80 available, so no other traffic can leave the test network. I also require no traffic whatsoever from the live network to come into the test network.

It would appear I need something running between the NIC cards on the 2003 server. I'm thinking NAT, but does anyone have experience with this? Is there a better solution?

[NooNoo]

ISA server....

[gazzak]

ISA server....

Really? Never looked into that!

Basically been stuck in front of the server all day with test machines littered all around playing with the NAT stuff. When I walked out at 7pm it was working as I wanted it to be, and my knowledge of NAT and routing has risen considerably.

I don't recommend it!!!

When I get back off leave I'll take a peek at ISA server, or get a seperate linux box as the unix boys have kept on saying all ****y day.

[NooNoo]

smoothwall would probably be the choice.... but if you wanted to go Windows then ISA server would be the one.

[gazzak]

smoothwall would probably be the choice.... but if you wanted to go Windows then ISA server would be the one.

We've got quite a few spare boxes kicking around and the more I think about it the better off we'd be with Linux and smoothwall. Thanks NooNoo.

[pbolduc]

A more expensive hardware solution but easier to implement would be to purchase a layer 3 switch $$$$ and a decent VLAN capable router $$$. Setup trunk between the router and the layer 3 managed switch. Configure two VLAN Interfaces on the Router (VLAN1 and VLAN2) one for "Testing Network" and one for "Live Network". Have each VLAN on their own unmanaged switch to cut costs. Configure one "Access port" for each VLAN ID on the Managed switch for each unmanaged switch VLAN and control the traffic between the two VLAN's using the firewall policies on the router. No NAT or static route entries are required as the router will automatically determine the best route for you. You can use the firewall policies to control traffic flow and have uni-directional access so that the "Live Network" can access the "Testing Network" but "Testing Network" cannot access "Live Network" and you can also specify the services that are passed through to each VLAN by means of the firewall policies. As well, you can also specify access by device IP.

So lets say you want a certain worksations on the "Live Network" to be accessible by the "Testing Network" you can define this so only specific computers are accessible through the VLAN. It works really good on my end with way less complication as software solutions can be confusing and difficult to troubleshoot in the event there are problems.

At this point having two network cards in your server is great because you can have each NIC configured and wired directly to each VLAN so it can manage both physically separated networks without having to create a separate firewall policy and your server can still manage the Internet Access through the server DHCP service.

[gazzak]

Thanks for the long reply PB. However...

...back to work today and once I'd sorted the emails out I found a disused box, downloaded and installed smoothwall, configured, tested, configured some more and it's absolutley perfect for our needs. Everything I wanted in the first post is now happening. Highly recommended for smaller networks or home use.

Thanks all.