Re: [fw-wiz] Putting MS servers behind firewalls
To: firstname.lastname@example.org Date: Wed, 9 Jun 2004 10:32:04 +0200
Hmmm... IPSec won't help much against compromised internal hosts, if that
is what the original post seeks to address.
How about putting an app proxy firewall (careful... possible latency
issues here...) between the servers and the workstations, and set MS
Exchange to communicate on specific ports (this can be done via registry
settings, as I remember...) rather than promiscuously assigning RPC ports?
Then you set the firewall to pass CIFS (or SMB, depending on what the
specific firewall calls it...) traffic between the workstation network and
the server network, and ditto for traffic on the ports you limit Exchange
to using. The CIFS proxy will deal with File and Print as well as AD,
while a custom protocol will deal with Exchange.
I have something similar (just Notes instead of Exchange) between our
country office and head office, and it works very well (with a Symantec
Gateway Security appliance with firewall (Symantec enterprise Firewall),
IDS/IPS and AV switched on).
If you get a multi-function applicance with proxy firewall, IDS/IPS and AV
scanning (for WWW, FTP and SMTP) enabled, you will be protecting your
servers fairly well, if your configurations are anywhere near sane.
Caveat: some app proxy firewalls may need some tuning in order to prevent
possible DoS due to the sheer volume of USP traffic that AD can generate.
A good idea may be to set up a mini-lab with 3 workstations and an
Exchange/AD/Fileserver, and test a few configurations with demo versions
of various firewalls and appliances... this should give you a feel for
what can realistically be done.
J o h a n n v a n D u y n, CISSP
"A human being should be able to change a diaper,
plan an invasion, butcher a hog, conn a ship, design a building,
write a sonnet, balance accounts, build a wall, set a bone,
comfort the dying, take orders, give orders, cooperate, act alone,
solve equations, analyze a new problem, pitch manure, program a computer,
cook a tasty meal, fight efficiently, die gallantly.
Specialization is for insects."
-- Robert Heinlein
"Dan Harp" <email@example.com>
Sent by: firstname.lastname@example.org
Subject: Re: [fw-wiz] Putting MS servers behind firewalls
I would recommend using IPSec if you want to lock down communication
servers and workstations.
Have a look at this:
>Subject: [fw-wiz] Putting MS servers behind firewalls
> I ran in to a problem putting Microsoft Servers behind a
>users has to go through the FW to access the servers. The servers I
>wanted to put are on an AD domain. There were AD server, File server and
>an Exchange server. These servers need a large no. of services opened
>for proper operation. The worse is that exchange server work in a
>dynamic port setup where the server opens a random port for each
>different client. MS site has some registry edits that is supposed to
>correct this dynamic port setup issue. But when I tried these they did
>not work as per the document describes.
> Has anybody done this kind of a setup (with other than an
>I am interested in doing this with Netscreen/Pix and Linux IPTables. Any
>help is appreciated.
>Thanks in advance
Confidentiality Notice: The information in this document and attachments is confidential and may also be legally privileged. It is intended only for the use of the named recipient. Internet communications are not secure and therefore British American Tobacco does not accept legal responsibility for the contents of this message. If you are not the intended recipient, please notify us immediately and then delete this document. Do not disclose the contents of this document to any other person, nor take any copies. Violation of this notice may be unlawful.
firewall-wizards mailing list