Re: Firewall, VPN and SQL Server

From: Leythos (void_at_nowhere.com)
Date: 09/30/03 

Date: Tue, 30 Sep 2003 02:00:23 GMT

In article <74883250.0000426f.062@drn.newsguy.com>, ec-
nospam@microsoft.com says...
> I'm setting up a linux firewall for my companies T1. All of our other machines
> will be windoze. I also need to setup a Windows VPN server (can't use the linux
> clients for reasons I can't get into here).
>
> 1) Someone suggested to me that I put the VPN in the linux DMZ and foward the
> ports to that machine. Does that make sense?

In general, I always VPN into the firewall appliance and then create
rules that allow the VPN group(s) to access the resources that I want
them to be able to access.

> 2 I also have another security question which I have no idea how to handle. We
> have some application (IIS) servers that we want on the internet. I can put
> those outside of the firewall (or port foward 80 to that machine), BUT those
> machines will need access to servers INSIDE the fireall (SQL Server). Any
> suggestions on how to handle this one? I haven't a clue :(

First - Web servers belong in the DMZ when they also provide public
access. You only enable 80/443 to them.

Second - The database server belongs in the LAN side - you create a rule
that maps 1433 (MS SQL) from the DMZ to the LAN (make sure that you map
IP Address:1433 to IP Address:1433). Do not just map 1433 from any IP to
any IP. Do not map any other ports from the DMZ to the LAN.

Third - Make a LAN port 80/443 to DMZ port 80/433 (ANY IP address on the
LAN) - do not map from the DMZ to the LAN with this rule.

Fourth - setup DNS inside your LAN - you need to create records for the
web server sites in your internal DNS so that the LAN users can get to
them using proper names. In many cases, a NAT through a firewall, will
not resolve names properly for DMZ private IP addresses and the users
will fail to connect.

Once your internal machines have the first DNS as your LAN DNS Server,
and secondary as your external DNS server, you should be able to browse
to the web server in the DMZ by web site name, and the rest of the
internet too.

There are many other rules you will need to create for normal browsing
and such, but these specifically cover your question.

As a means of making sure that you get a quality/secure result, hire an
IT security consultant to build it for you. 

-- 
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Relevant Pages

  • Re: Firewall, VPN and SQL Server
    ... > machines will need access to servers INSIDE the fireall. ... First - Web servers belong in the DMZ when they also provide public ... Second - The database server belongs in the LAN side - you create a rule ...
    (comp.security.firewalls)
  • Re: Web portal security
    ... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 NICs Configuration Problem
    ... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.windows.server.networking)
  • Re: Help with long term network problem
    ... Symptoms were not finding mapped network drives or shared printer on ... DATA by other machines on the LAN. ... dispensing with the dedicated server and just using on as file ...
    (microsoft.public.windowsxp.network_web)
  • Re: Where to put the server
    ... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ...
    (microsoft.public.backoffice.smallbiz2000)