Firewall Wizards mailing list archives

Re: Putting MS servers behind firewalls

From: Johann_van_Duyn () bat com
Date: Wed, 9 Jun 2004 10:32:04 +0200

Hmmm... IPSec won't help much against compromised internal hosts, if that 
is what the original post seeks to address.

How about putting an app proxy firewall (careful... possible latency 
issues here...) between the servers and the workstations, and set MS 
Exchange to communicate on specific ports (this can be done via registry 
settings, as I remember...) rather than promiscuously assigning RPC ports? 
Then you set the firewall to pass CIFS (or SMB, depending on what the 
specific firewall calls it...) traffic between the workstation network and 
the server network, and ditto for traffic on the ports you limit Exchange 
to using. The CIFS proxy will deal with File and Print as well as AD, 
while a custom protocol will deal with Exchange.

I have something similar (just Notes instead of Exchange) between our 
country office and head office, and it works very well (with a Symantec 
Gateway Security appliance with firewall (Symantec enterprise Firewall), 
IDS/IPS and AV switched on).

If you get a multi-function applicance with proxy firewall, IDS/IPS and AV 
scanning (for WWW, FTP and SMTP) enabled, you will be protecting your 
servers fairly well, if your configurations are anywhere near sane.

Caveat: some app proxy firewalls may need some tuning in order to prevent 
possible DoS due to the sheer volume of USP traffic that AD can generate.

A good idea may be to set up a mini-lab with 3 workstations and an 
Exchange/AD/Fileserver, and test a few configurations with demo versions 
of various firewalls and appliances... this should give you a feel for 
what can realistically be done.

Cheers

--------------------------------------------------------
J o h a n n   v a n   D u y n, CISSP
--------------------------------------------------------
"A human being should be able to change a diaper, 
 plan an invasion, butcher a hog, conn a ship, design a building,
 write a sonnet, balance accounts, build a wall, set a bone,
 comfort the dying, take orders, give orders, cooperate, act alone,
 solve equations, analyze a new problem, pitch manure, program a computer,
 cook a tasty meal, fight efficiently, die gallantly.

 Specialization is for insects." 

     -- Robert Heinlein






"Dan Harp" <danh () brenius net>
Sent by: firewall-wizards-admin () honor icsalabs com
08-06-2004 18:28

 
        To:     firewall-wizards () honor icsalabs com
        cc: 
        Subject:        Re: [fw-wiz] Putting MS servers behind firewalls


I would recommend using IPSec if you want to lock down communication 
between 
servers and workstations.

Have a look at this:

http://hfnetchk.shavlik.com/support/ipsec_scan.pdf

- Dan

<snip!>

Subject: [fw-wiz] Putting MS servers behind firewalls

Hi Wizards,

               I ran in to a problem putting Microsoft Servers behind a

firewall.

The 
users has to go through the FW to access the servers. The servers I 
wanted to put are on an AD domain. There were AD server, File server and 
an Exchange server. These servers need a large no. of services opened 
for proper operation. The worse is that exchange server work in a 
dynamic port setup where the server opens a random port for each 
different client. MS site has some registry edits that is supposed to 
correct this dynamic port setup issue. But when I tried these they did 
not work as per the document describes.

               Has anybody done this kind of a setup (with other than an

ISA

server). 
I am interested in doing this with Netscreen/Pix and Linux IPTables. Any 
help is appreciated.



Thanks in advance

Dilan



______________________________________________________________________
Confidentiality Notice: The information in this document and attachments is confidential and may also be legally 
privileged.  It is intended only for the use of the named recipient.  Internet communications are not secure and 
therefore British American Tobacco does not accept legal responsibility for the contents of this message.  If you are 
not the intended recipient, please notify us immediately and then delete this document.  Do not disclose the contents 
of this document to any other person, nor take any copies.  Violation of this notice may be unlawful.
______________________________________________________________________

Current thread:

Re: Putting MS servers behind firewalls, (continued)
- Re: Putting MS servers behind firewalls Dave Piscitello (Jun 08)
- RE: Putting MS servers behind firewalls Mark Gumennik (Jun 08)
  - RE: Putting MS servers behind firewalls Paul D. Robertson (Jun 08)
  - Re: Putting MS servers behind firewalls Dan Harp (Jun 08)
  - Message not available
    - Re: Putting MS servers behind firewalls Victor Williams (Jun 08)
- RE: Putting MS servers behind firewalls Michael H (Jun 07)
  - More infor - Re: Putting MS servers behind firewalls Dilan Walgampaya (Jun 08)
- Re: Putting MS servers behind firewalls firewalladmin (Jun 07)
- RE: Putting MS servers behind firewalls Melson, Paul (Jun 08)
- RE: Putting MS servers behind firewalls Kelly, Chris W. (Jun 08)
- Re: Putting MS servers behind firewalls Johann_van_Duyn (Jun 09)