Re: Please Help
From: DX (007@sxu.cjb.net)Date: 10/11/02
- Next message: Wolfgang Kueter: "Re: questionable access to my computer - please help"
- Previous message: YLW: "Re: ZoneAlarm no longer has memory after reboot - please help"
- In reply to: David: "Re: Please Help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "DX" <007@sxu.cjb.net> Date: Thu, 10 Oct 2002 19:11:27 -0700
thank you very much for all of your helpful answers. I find these
information very instructive and enlightening.
Sincerely thanks,
"David" <davidwnh@adelphia.net> wrote in message
news:H8dp9.19359$m92.4611740@news1.news.adelphia.net...
> I think a lot of companies go firewall ->webservices ->firewall ->LAN
> because their workstations tend to have company sensitive information,but
> you can put your webservers behind the single firewall.You lose a level of
> protection with a single firewall so you need to be real thorough. If you
> can put a firewall outside of everything and can afford a good enterprise
> class firewall they make antivirus plugins for some of them that will
virus
> scan all the traffic coming in at the firewall. Definitely a plus when
your
> running IIS. If you go with the single firewall the setup to publish them
on
> the internet with private IP's depends on what you're running for a
> firewall. My firewall for example would force me to assign two public IP
> addresses on the external ethernet adapter to publish both webservers on
> port 80 however I could use a single public IP if the second webserver is
> run on a different port. Your best is two IPs. This all depends on what
you
> have for a firewall and whether your running DNS servers internally or
using
> your ISP's DNS.
>
> Simple way to secure them? Not IMHO. The key when you do this is that you
> need to isolate the webservers as much as possible from the rest of your
> network. IIS seems to be a favorite target of hackers these days, so go in
> with attitude that they will get hacked(most likely by a worm) and work
your
> strategy from there. If you design your security around this attitude the
> idea to keep in mind is that if a hacker does gets a trojan onto one of
the
> webservers or can set up a user account on one of them he will have total
> access to that machine. So the basic idea is to make sure that a user
> logged onto the webserver with admin rights has no access to the rest of
> your network. That being said I would put three ethernet adapters on the
> firewall. One to the internet, one to the webservers, one to the rest of
> your LAN. This way you can put your lan and servers on separate subnets
and
> control all your access from a single machine. Your firewall should be
able
> to filter just port 80(or whatever port you assign to IIS) traffic into
the
> webservers from the internet, whatever you need from the lan to the
> webservers, and NO ACCESS from the webservers to the LAN. If it can't
do
> this its time to get a better firewall. By allowing no access from the
> servers to the LAN you'll block a hacker from using them to get at your
LAN.
> You can then use TCP/IP filtering on the webservers to further lock them
> down. No need for extra security software on them. The hackers gonna try
to
> set up his access right through port 80 no matter what you do, and the
> firewall should already be blocking everything else.
>
> I don't know what other services you need on these servers so some of the
> following may or may not apply.
>
> Install your webservers as standalone servers, DO NOT ATTACH THEM TO A
> WINDOWS DOMAIN.
> If you are already running AD on these servers to control a domain I would
> seriously advise you to run the webservers on separate machines. Domain
> Administrator privileges make every hacker smile.
> Do not run or if possible even install unnecessary services.
> Do not enable netbios.
> Put your webserver file shares on a partition separate from the system
> partition.
> Do not install unnecessary software.
> Do not put any personal or sensitive company information on them.
> Keep your OS and Antivirus software up to date.
> Work your access from the ground up. Close up all ports, minimize ACL
> permissions, etc. Then open up specific ports and add permissions as they
> are needed. Before you actually open it up to the internet. Ghost your
> harddrives so that you have an easier restoration path if you do get
hacked.
> And so on and so forth,
>
> Go to Microsoft's site and get the Baseline Security Advisor. Also get
their
> IIS Lockdown tool. They have a huge list of the things you should do and
> sample files, etc. to delete off the machines.
>
> I would also say get one of those big fat boring 1000 page books on how to
> secure IIS(a couple highlighters and a couple lbs. of coffee)
>
>
> "DX" <007@sxu.cjb.net> wrote in message
> news:ao2utt$5is$1@woodrow.ucdavis.edu...
> > In our office, we used to have very bad computer security. We recently
> > installed a firewall, and behind it is twenty windows 2000 machines.
> Right
> > now things look better because we don't get any more virus (for these
pc's
> > behind the firewall). However, recently our security logs indicate
> hackers
> > are actually trying to do daily port scanning and try to break into our
> > network by using different scripts and commands. What i really concern
is
> > the two stand-alone Win2000 web servers we have in our office with
> routable
> > ip addresses. Since they are not behind a firewall as the other twenty
> pc's
> > do, what should we do in order to protect them from hackers?
> >
> > 1). It looks like to me i can also put these two web servers behind the
> > firewall, and let them have private network ip addresses, then when the
> > firewall receives web site requests, the firewall will route the
requests
> to
> > the appropriate web server. Will this actually work? I have never try
it
> > before and i will appreciate if someone can recommend a web link for we
> > learn how to do this.
> >
> > 2). Is there any simple way to protect web servers? I mean can i
install
> > any security programs? such as Norton Internet Firewall, and block all
> > ports except port 80? Will this work well?
> >
> > 3). What is the most common way for people to protect their web servers?
> > Can you share with me your experience?
> >
> > Thank you very much for you helps and advices,
> >
> >
> >
> >
> >
>
>
- Next message: Wolfgang Kueter: "Re: questionable access to my computer - please help"
- Previous message: YLW: "Re: ZoneAlarm no longer has memory after reboot - please help"
- In reply to: David: "Re: Please Help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
