Re: Internal Trusted Windows Users firewalled from Microsoft Servers

Hi Ash,

I usually advice my customers against such configurations and give them
alternatives if they really have a good reason for setting their network in
such way. Alternatives in this case would be SCW (Security Configuration
Wizard) and Domain Isolation with IPSec.

SCW is designed and supported way to use Windows Firewall on servers such as
domain controller. The wizard will check what is running on the server (what
services) and give you an option to disable some of them (the ones that are
not needed) leaving you with server that is less exposed to LAN. It will
also give you an option to block off some TCP and UDP ports -- again the
ones that might not be needed.
I believe you will get much better results with SCW in this case then with
CheckPoint. In my experience administrators run into a lot of problems when
they try to move DCs, Exchange and other services away from the clients
network. They often end up with rule on the firewall that would look
something like this:

From Everyone on LAN (e.g. subnet) to Anything in "Server DMZ" Allow
Everything.

Let me know if you need any more information on this.

--
Mike
Microsoft MVP - Windows Security

"Ash Wainwright" <AshWainwright@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:55F55ECE-A8EC-493C-9339-9B31E067CC63@xxxxxxxxxxxxxxxx
I would like some advice. We have a Security Manager at our company who
wants
to separate all user desktops in our organisation from Exchange and Active
Directory and all Microsoft services with a Checkpoint Firewall.

We would need to configure the NG60 Checkpoint firewall with a ruleset
that
would allow the user desktop groups which are split into 8 Vlans to access
all Exchange ports including the RPC range as well as the Active Directory
services.

My question is this do many organisations place firewalls between all
their
trusted users and their Exchange, AD and Windows servers.

While I can see the added security aspects of the plan, the added
administration overhead seems problematic as well as the performance
impact.
Particularly when we are talking about all our internal Microsoft services
and UNIX services.

Just to clarify these are all internal trusted users accesing internal
systems, we are a company with under a 1000 users.

This does not refer to DMZ's which are firewalled from internal users.

Anyones experience or refrence to articles whitepapers would be much
appreciated.

Thanks

Ash

--
Ash
--
Ash


.

Relevant Pages

  • RE: Secure Network Design (DMZ, LAN, etc)
    ... you'll see that their both on the same subnet. ... It has a port for the trusted network and a port ... Our firewall handles NAT. ... > servers, wouldn't it require a public IP and therefore be somewhat ...
    (Security-Basics)
  • RE: [fw-wiz] Security Audit and Priorities
    ... Learn your network. ... - Linux Security Cookbook ... Building Secure Servers with Linux ... It's one thing to be a firewall admin and write ...
    (Firewall-Wizards)
  • Re: terminal services quirkyness question
    ... When you ssh into your Firewall you are Basically inside your Network ... will have to change the default port that TS listens too... ... Open the Ports in your Firewall and Point them to your servers, ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] Isolating internal servers behind firewalls
    ... We have a cisco firewall services module that we us for our head ... So, for a given network, you can move ... There are general purpose file servers, AD domain controllers, SMS ... The firewall/security group argues that servers and clients should exist ...
    (Firewall-Wizards)
  • Re: Incoming mail not updating in inbox
    ... We are behind an ISA server ... >> That Use the Network Address Translation ... Could be a software firewall on ... the user tried deleting and re-adding the Exchange service? ...
    (microsoft.public.outlook.general)
Quantcast