Should a firewall ONLY allow access to an IP range - as well as blocking ports?

From: adeveloper (adeveloper@test.com)
Date: 02/19/03 

From: "adeveloper" <adeveloper@test.com>
Date: Wed, 19 Feb 2003 18:30:08 +0000 (UTC)

Just to provide some more details that don't seem to have been clear from
the last post (see below):
We do have a firewall but it is set up to let all IPs access the open
ports - we can and know how to restrict this to only allowed IPs but the
question is should we. The decision I am considering is should we restrict
access on ports we use to administer the server to an IP range only?

Some people mentioned practical considerations like access the server when
travelling from a DHCP allocated address which is an interesting point. I
just want to know what most people do here.

Pete

"adeveloper" <adeveloper@test.com> wrote in message
news:b2t72a$n7p$1@sparta.btinternet.com...
> Hi,
>
> We are currently considering if we should restrict access to our windows
> 2000 web servers by IP address (so that the firewall only gives access to
a
> list of allowed users). This would be done for things like access for
> remote control clients (terminal services, telnet, etc), etc - we remotely
> administer the machine with terminal services. I suppose it would be done
> for all ports except port 80 ideally. However this has some costs
> implications (we are a small company) and we are debating whetrher it is
> worth it.
>
> The argue for is that it secures us from hackers who specially target the
> machine, and it secures very vulnerable areas (such as remote control
> software that can give control of the entire machine).
> The agrument against is that mpst vulnerabilities seem to come through
port
> 80 anyway and that the best secruity measure is to keep up to date on all
> patches, and that the risk of a individual hacker targetting you are quite
> low - most risks come from worms trojans, etc (although we have been
> targeted once before...).
>
> I just wanted to know what other peoples experiences where with securing
web
> servers, and blocking access to all IPs accept those on the allowed list -
> what would you advise?
>
> Grateful for any info
> Pete
>
>

Relevant Pages

  • Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
    ... > fairly tight(only allowing 4 ports in), but perhaps I could tighten it ... The host systems firewall rules govern the access to the jailed system. ... What connections does your server need to ... Perhaps there is a 0-day for your ftp server out there. ...
    (Incidents)
  • Re: Add 2nd NIC after intial install?
    ... My biggest question with 1 NIC is: even if workstations are protected with individual firewall products, what is protecting the SBS server itself if ports are open for remote access through the Linksys firewall? ...
    (microsoft.public.windows.server.sbs)
  • Re: Source Code to Filter out WindowsMessenger POP-UPS
    ... Zone Alarm does NOT support 'server'. ... Very few ports are open, ... >What you are asking for amounts to a firewall. ... I would NOT search for source code to compile ...
    (microsoft.public.inetserver.iis.security)
  • Re: Using Office Outlook with exchange server behind windows firewall
    ... On our network I have windows firewall turned on, on both my small business server and my windows xp workstations. ... Based on an article I read about all the ports that exhange may use I also tried making exceptions for ports ...
    (microsoft.public.windows.server.sbs)
  • Re: NETFW.INF, Preconfigured Firewall settings and dialogs
    ... it is Windows Server 2003 SP1 firewall that i'm using. ... Using the document '832017 Port Requirements for the Microsoft Windows ... > to achieve the following goal: some ports are open by default and others ...
    (microsoft.public.windows.server.networking)
Loading