Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?
From: Chris Comley (Chris_@spamdeath.kill.die.wizards.co.uk)
Date: 02/20/03
- Next message: nemo: "Re: Problems with security on cable connection"
- Previous message: Jim Watt: "Re: My Windows XP system is 100% secure - nobody can get in"
- In reply to: adeveloper: "Should a firewall ONLY allow access to an IP range - as well as blocking ports?"
- Next in thread: NeoSadist: "Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Chris Comley <Chris_@spamdeath.kill.die.wizards.co.uk> Date: Thu, 20 Feb 2003 11:55:11 +0000
It's a question of how secure/paranoid you want to be.
For example, I often set up our customers with an open port for VNC
and/or Terminal Services so we can remote-admin their servers. But if
I do this I *only* permit access to those ports from our office
systems.
If a customer wants VNC so he can remote access his own computers,
it's more of a problem as he usually has dynamic IP at home. Times
like this is when I start suggesting he use VPN.
If you run a web server behind the firewall, then you probably have to
make port 80 open to The World. But if it's an extra-net, and you can
limit te access to specific IP ranges the authorised users of the
system are on, then do so.
"adeveloper" <adeveloper@test.com> wrote:
>Just to provide some more details that don't seem to have been clear from
>the last post (see below):
>We do have a firewall but it is set up to let all IPs access the open
>ports - we can and know how to restrict this to only allowed IPs but the
>question is should we. The decision I am considering is should we restrict
>access on ports we use to administer the server to an IP range only?
>
>Some people mentioned practical considerations like access the server when
>travelling from a DHCP allocated address which is an interesting point. I
>just want to know what most people do here.
>
>Pete
>
>"adeveloper" <adeveloper@test.com> wrote in message
>news:b2t72a$n7p$1@sparta.btinternet.com...
>> Hi,
>>
>> We are currently considering if we should restrict access to our windows
>> 2000 web servers by IP address (so that the firewall only gives access to
>a
>> list of allowed users). This would be done for things like access for
>> remote control clients (terminal services, telnet, etc), etc - we remotely
>> administer the machine with terminal services. I suppose it would be done
>> for all ports except port 80 ideally. However this has some costs
>> implications (we are a small company) and we are debating whetrher it is
>> worth it.
>>
>> The argue for is that it secures us from hackers who specially target the
>> machine, and it secures very vulnerable areas (such as remote control
>> software that can give control of the entire machine).
>> The agrument against is that mpst vulnerabilities seem to come through
>port
>> 80 anyway and that the best secruity measure is to keep up to date on all
>> patches, and that the risk of a individual hacker targetting you are quite
>> low - most risks come from worms trojans, etc (although we have been
>> targeted once before...).
>>
>> I just wanted to know what other peoples experiences where with securing
>web
>> servers, and blocking access to all IPs accept those on the allowed list -
>> what would you advise?
>>
>> Grateful for any info
>> Pete
>>
>>
>
--- Wizards Ltd www.wizards.co.uk UK supplier of Sonicwall, Watchguard, Zywall.
- Next message: nemo: "Re: Problems with security on cable connection"
- Previous message: Jim Watt: "Re: My Windows XP system is 100% secure - nobody can get in"
- In reply to: adeveloper: "Should a firewall ONLY allow access to an IP range - as well as blocking ports?"
- Next in thread: NeoSadist: "Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
