RE: Should I keep port 445 open between my DMZ and my inside LAN?
From: TJ Campana [MSFT] (tcampana_at_online.microsoft.com)
Date: 05/04/04
- Next message: Sandi - Microsoft MVP: "Re: Lost Inbox Files"
- Previous message: TJ Campana [MSFT]: "RE: can't boot xp home think have virus"
- In reply to: Dave Foster: "Should I keep port 445 open between my DMZ and my inside LAN?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 04 May 2004 12:49:26 GMT
>I have a DMZ with an ASP app running on IIS that accesses a SQL server in my
>inside LAN. Do I need to keep 445 open for this SQL ODBC connection to work
>or can I safely plug it? What Microsoft stuff relies on 445? I read
>something somewhere about an deal that Microsoft was cooking up with Visa
>that would use this port for some kind of SSL enhancement.
>
>Thanks,
>Dave
>
>
>
Dave,
That is a difficult question to answer as I am not sure what in you environment is using port 445 between the DMZ and your internal network. SQL can use
what is called a Named Pipe connection that will use 139 or 445 to pass information. Are you using a named pipes connection or a traditional 1433 SQL
connection (TCP)?
You can check to see what the application on the DMZ is using for communication to the LAN using Network Monitor from that system and analyzing the
data in the trace to see what protocols are being used.
Also if the firewall supports the use of ACLs then i would suggest only allowing the systems in the DMZ that need to speak to internal resource through the
firewall rather than simply publishing the port indiscriminately.
A more elegant solution is to block everything between the DMZ and the internal LAN except IPSec traffic and secure the communication between the
DMZ and the LAN using IPSec through the firewall:
Traffic That Can--and Cannot--Be Secured by IPSec (253169)
http://support.microsoft.com/default.aspx?scid=KB;EN-US;253169
832017 Port Requirements for the Microsoft Windows Server System
http://support.microsoft.com/?id=832017
T.J. Campana [MSFT]
Microsoft EPS Security
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
- Next message: Sandi - Microsoft MVP: "Re: Lost Inbox Files"
- Previous message: TJ Campana [MSFT]: "RE: can't boot xp home think have virus"
- In reply to: Dave Foster: "Should I keep port 445 open between my DMZ and my inside LAN?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
