How do you use your M/S Action Pack?

[vertices]

That's odd. Even at the MS training events we go to in Orlando or Jax, they run Laptops with just a gig of memory and easily run 2 or 3 servers on that with DCs and Exchange. It's not the fastest out there but more than enough for learning and testing. I'm kind of surprised you saw such poor performance. Any chance something else was going on?

[vertices]

If you run the IAS on the SBS box, how will you setup your intrusion detection?

You mean ISA right? Not Internet Authentication Service?

Are you talking about IDS in ISA?

[ua549]

But in those lab environments they aren't doing any real work. My systems run my household and the Virtual Server is for alpha & beta testing MS products and adjuncts such as Diskeeper.

IMO SQL Server is the real performance culprit as it will suck up all resources it can get. I can see graphically the available memory decrease as it caches data. I usually have 5 SQL databases going at any point in time - Exchange, Diskeeper Admin., Environment, Documents and Financial. Processor power is never a problem at 80% cpu utilization on a Dual Xeon 2.4GHz HT box w/4GB RDRam memory.

(I need to simplify my systems/my life!)

*edit* The MRTG software is offline, but it usually reports between 950 and 1,000 threads running and about 10-15 physical disk I/Os per second 24/7/365 on the host OS. More when the system is very busy with Diskeeper.

[Thermo]

You mean ISA right? Not Internet Authentication Service?

Are you talking about IDS in ISA?

Ya I ment ISA, I was observing a training class and not paying full attention to what I was typing.

I am talking IDS but not IDS in the ISA box and especially not IDS on ISA running on the SBS box. I’m talking more about an appliance that sits on your perimeter subnet behind your perimeter firewall. With SBS, I would use ISA on the SBS box if I had another firewall between it and the WAN. But not if the SBS server was connected to the WAN directly.

Normally I would have a firewall on the WAN interface. Can be PIX or whatever, then on the perimeter LAN subnet I would have an IDS device. I like Cisco 4215’s but there are lots of others. Then I would have the secondary firewall, which can be ISA on the SBS box, so long as the perimeter firewall is not also ISA. Then, if they have the bucks and have hi value data, one or more detection devices on the internal LAN.

[ua549]

I found most of the security stuff that I worried about came from internal sources on a LAN. That is where I put most of the security money. For anyone with high value and/or high security data, leak prevention is the hardest and most expensive task.

I've gone so far as using rack mounted client machines in a secure comm closet to prevent users from using unauthorized hardware, removable media devices, etc. for copying or transferring files. Filtering outgoing email is another big issue.

[vertices]

Ya I ment ISA, I was observing a training class and not paying full attention to what I was typing.

I am talking IDS but not IDS in the ISA box and especially not IDS on ISA running on the SBS box. I’m talking more about an appliance that sits on your perimeter subnet behind your perimeter firewall. With SBS, I would use ISA on the SBS box if I had another firewall between it and the WAN. But not if the SBS server was connected to the WAN directly.

Normally I would have a firewall on the WAN interface. Can be PIX or whatever, then on the perimeter LAN subnet I would have an IDS device. I like Cisco 4215’s but there are lots of others. Then I would have the secondary firewall, which can be ISA on the SBS box, so long as the perimeter firewall is not also ISA. Then, if they have the bucks and have hi value data, one or more detection devices on the internal LAN.

Yeah I got you. Although I am talking about my home. I don't need to go that crazy. ISA 2004 is a secure firewall. Just as good as a PIX if not better IMO when you add in application filtering.

None of my small business clients are using ISA as a firewall. All of them have a PIX or a Firebox in front of the SBS. Although for some new small business clients, I'm gonna be putting an SBS box with ISA on it directly attached to the WAN. I feel that it is very secure when configured properly ie. limiting connections, properly configured ISA etc. Not to mention very usable and very affordable.

The only standalone installation of ISA 2004 I've personally done is for a Hospital. It wasn't used as a firewall in this deployment, simply as a reverse proxy sitting in the DMZ for secure publishing of OWA.

[vertices]

Well I wussed out in the end. Decided to save some cash.

I ended up buying 2 SC430s. They got a great deal going on right now at www.dell.com/smb/yearofserver but it ends today.

For $1950 shipped I got:

Quantity 1 SC430 with a PentiumD 3.0Ghz Dual Core and 2GB of RAM with 2 80GB SATA drives. This will be my dedicated SBS box.

Quantity 1 SC430 with a PentiumD 3.0Ghz Dual Core and 4GB of RAM with 2 80GB SATA drives. This will be my dedicated Virtual Server box.


I'm gonna switch out the drives in the first SC430 (the SBS box) with 400GB Western Digital Enterprise drives in RAID 1. Should be plenty.

All in all I'm pretty happy. I saved some money and I bet performance is actually a little bit better by splitting up the load like that instead of dumping it all on a 3.2Ghz Dual CPU Xeon with 4GB of RAM. Of course the drive system can't compare but I've only got 2 people hitting them.

[Thermo]

Yeah I got you. Although I am talking about my home. I don't need to go that crazy. ISA 2004 is a secure firewall. Just as good as a PIX if not better IMO when you add in application filtering.

None of my small business clients are using ISA as a firewall. All of them have a PIX or a Firebox in front of the SBS. Although for some new small business clients, I'm gonna be putting an SBS box with ISA on it directly attached to the WAN. I feel that it is very secure when configured properly ie. limiting connections, properly configured ISA etc. Not to mention very usable and very affordable.

The only standalone installation of ISA 2004 I've personally done is for a Hospital. It wasn't used as a firewall in this deployment, simply as a reverse proxy sitting in the DMZ for secure publishing of OWA.

You need to route to the WAN anyway, why not use a little firewall router? They don't cost much. I just don't want to be having all my eggs in one basket.

[Thermo]

I found most of the security stuff that I worried about came from internal sources on a LAN. That is where I put most of the security money. For anyone with high value and/or high security data, leak prevention is the hardest and most expensive task.

I've gone so far as using rack mounted client machines in a secure comm closet to prevent users from using unauthorized hardware, removable media devices, etc. for copying or transferring files. Filtering outgoing email is another big issue.

I hear what you are saying. We run a couple of segregated networks that have their own DC’s and no internet connectivity. By they will hire almost anyone to drive the workstations. I suggested that we needed to run financials on the network staff, and was told to basically stuff it and keep my mouth shut. There have been two chapter 11’s and another who was about a month away when we hired him. I was always taught that these were big ugly red flags.

[ua549]

Yup, I had issues with engineering staff e-mailing or otherwise sending prints and process listings for satellite technology off premises. I finally caught them all, one in South America at technology convention booth trying to offer design services. It is a battle. And this company vetted every employee through a very professional security agency every year. As a consultant I had to endure not only a physical with blood tests, but a psychological exam and a lie detector session. I wonder what the prospective employee and their family had to endure.

Vertices - I think you made the right decision separating the Virtual Server applications from the rest of the applications.

[vertices]

You need to route to the WAN anyway, why not use a little firewall router? They don't cost much. I just don't want to be having all my eggs in one basket.

The main reason is cost. Many of these clients have either DSL, Cable, or a T1 on a channelbank bundled with their voice service. In all cases, they already have capability to just pass those public addresses directly to the SBS. A lot of them have already stretched out for a 2800 and a tape drive, plus labor. If I can save them $1200.00 on a 506e and a smartnet and eliminate some more labor and another point of failure by just using ISA on SBS, I think it's a great little solution.

Security is a sliding scale. You've got Highly Secure on one side, and cheap/convenient on the other. You've got to try to set that right for each client. In a perfect world, there would be tons of money for everyone to have the most secure network possible and an Admin to run it. In reality, resources are limited.

If I wanted to really be safe with my home, I'd go all out and have motion detectors, electrified fences, steel doors, bulletproof windows, and a personal security guard with an automatic weapon. The reality is I have to do a cost/benefit analysis on each of these. So in the end I lock my doors and windows, turn on the lights, set the alarm, and hope that's good enough to keep the bad guys away.

I look at network security the same way. For a small client with not much money, 10 computers, just trying to make ends meet, a properly setup SBS with ISA in my opinion is more than adequate. Having a PIX as well is something that I can't always justify. Not only that but ISA is great as far user authentication and outbound control for internet access.

Now our larger clients are completely different. We're just finishing up a $300,000.00 APC power proposal for one of our biggest clients, but the same cost/benefit analysis applies. It just ends up that for them, those extras ARE worth it and they have the money to make them happen.

Not that I'm saying something that you guys don't already know. I just thought I'd lay out my views when it comes to the smaller clients.

Wow that got long. Sorry.

[freedon]

The biggest drawback to SBS is the 2GB memory limit. I hope they do away with that limit. That is the main reason I no longer use SBS.

I just found a *doc file within my files when I was in Finland (Sept-Dec 2005) that mentions SBS's limit is 4 GB


Title of the document


Introduction to Windows Small Business Server 2003 for Enterprise IT Pros
Microsoft Corporation
Published: September 2005 (Version 1)
Author: Stephen Oliver


Don't remember where I downloaded it, but I'm pretty sure it was from MS website

ADD: nevermind, I remember you didn't have an answer but I didn't reread the thread where you mention you got an answer from MS.