Re: [fw-wiz] Putting MS servers behind firewalls

Johann_van_Duyn_at_bat.com
Date: 06/09/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] AltaVista Firewall" 
    To: firewall-wizards@honor.icsalabs.com
Date: Wed, 9 Jun 2004 10:32:04 +0200

    Hmmm... IPSec won't help much against compromised internal hosts, if that
    is what the original post seeks to address.

    How about putting an app proxy firewall (careful... possible latency
    issues here...) between the servers and the workstations, and set MS
    Exchange to communicate on specific ports (this can be done via registry
    settings, as I remember...) rather than promiscuously assigning RPC ports?
    Then you set the firewall to pass CIFS (or SMB, depending on what the
    specific firewall calls it...) traffic between the workstation network and
    the server network, and ditto for traffic on the ports you limit Exchange
    to using. The CIFS proxy will deal with File and Print as well as AD,
    while a custom protocol will deal with Exchange.

    I have something similar (just Notes instead of Exchange) between our
    country office and head office, and it works very well (with a Symantec
    Gateway Security appliance with firewall (Symantec enterprise Firewall),
    IDS/IPS and AV switched on).

    If you get a multi-function applicance with proxy firewall, IDS/IPS and AV
    scanning (for WWW, FTP and SMTP) enabled, you will be protecting your
    servers fairly well, if your configurations are anywhere near sane.

    Caveat: some app proxy firewalls may need some tuning in order to prevent
    possible DoS due to the sheer volume of USP traffic that AD can generate.

    A good idea may be to set up a mini-lab with 3 workstations and an
    Exchange/AD/Fileserver, and test a few configurations with demo versions
    of various firewalls and appliances... this should give you a feel for
    what can realistically be done.

    Cheers

    --------------------------------------------------------
    J o h a n n v a n D u y n, CISSP
    --------------------------------------------------------
    "A human being should be able to change a diaper,
     plan an invasion, butcher a hog, conn a ship, design a building,
     write a sonnet, balance accounts, build a wall, set a bone,
     comfort the dying, take orders, give orders, cooperate, act alone,
     solve equations, analyze a new problem, pitch manure, program a computer,
     cook a tasty meal, fight efficiently, die gallantly.

     Specialization is for insects."

         -- Robert Heinlein

    "Dan Harp" <danh@brenius.net>
    Sent by: firewall-wizards-admin@honor.icsalabs.com
    08-06-2004 18:28

     
            To: firewall-wizards@honor.icsalabs.com
            cc:
            Subject: Re: [fw-wiz] Putting MS servers behind firewalls

    I would recommend using IPSec if you want to lock down communication
    between
    servers and workstations.

    Have a look at this:

    http://hfnetchk.shavlik.com/support/ipsec_scan.pdf

    - Dan

    <snip!>

    >Subject: [fw-wiz] Putting MS servers behind firewalls
    >
    >Hi Wizards,
    >
    > I ran in to a problem putting Microsoft Servers behind a
    firewall.
    >The
    >users has to go through the FW to access the servers. The servers I
    >wanted to put are on an AD domain. There were AD server, File server and
    >an Exchange server. These servers need a large no. of services opened
    >for proper operation. The worse is that exchange server work in a
    >dynamic port setup where the server opens a random port for each
    >different client. MS site has some registry edits that is supposed to
    >correct this dynamic port setup issue. But when I tried these they did
    >not work as per the document describes.
    >
    > Has anybody done this kind of a setup (with other than an
    ISA
    >server).
    >I am interested in doing this with Netscreen/Pix and Linux IPTables. Any
    >help is appreciated.
    >
    >
    >
    >Thanks in advance
    >
    >Dilan

    ______________________________________________________________________
    Confidentiality Notice: The information in this document and attachments is confidential and may also be legally privileged. It is intended only for the use of the named recipient. Internet communications are not secure and therefore British American Tobacco does not accept legal responsibility for the contents of this message. If you are not the intended recipient, please notify us immediately and then delete this document. Do not disclose the contents of this document to any other person, nor take any copies. Violation of this notice may be unlawful.
    ______________________________________________________________________
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "Re: [fw-wiz] AltaVista Firewall"

    Relevant Pages