[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 162
  • Last Modified:

increase security for the firewall

I need advice on how to increase security for the firewall...
Right now all the ports are closed except two of them becasue the internet application needs to reach the database to update the information in the database.
If someone were to compromise the web server, they could easily get to all the databases located on the server which can be accessed from the internet in order for the code to to update the databases.  I need to find a way to lock this down, and still have the application connect to the database.
Is there a way?  If not, is there a way to increase security?
Is there a way to hide which ports are open from hackers?
0
Gemini532
Asked:
Gemini532
  • 2
2 Solutions
 
masnrockCommented:
I supposed if they were on two different internal subnets that had traffic betwen them channel through the firewall... but even that won't solve what you're trying to do.

Any ports open would be visible by anyone who is within an arm's length of that server. One thing you could do is have the database server drop any ICMP traffic via something like a software firewall. That would prevent things like pings. Maybe you should look at better securing each server... for example, using IISLockdown on the web server (assuming it runs Windows and IIS on it).

However, anything that's left open to the world will always have a shot at being exploited... hence why you try to open up as little as possible. And you'll also want to make sure anything that doesn't need to be accessed by the outside is behind as much protection as possible.
0
 
masnrockCommented:
You can always look into hardening the OS on the servers... you want to make it as hard as possible for people to exploit the servers in the first place. Nothing is 100% secure tho. Getting rid of unneeded parts of the OS, things like that.

http://www.infosec.csusb.edu/info/practices/os-hardening/
http://www.cisecurity.org/
0
 
IPKON_NetworksCommented:
One question. Are your users trusted or not? (ie, your staff or just joe public). If trusted then use hard token authentication and encryption to keep anyone else out at the entry point. This removes the need for too much inside protection.

The obvious but 'expensive' way is to create a DMZ that has a web server (or a top tier presentation layer server) which has the access. Then database calls could be controlled through the firewall to only allow traffic to hit the database server from the DMZ server, not the outside.
Then, you would be able to limit the access to the database server, thus adding another layer that would need to be breached.

Next, add in a service account that cannot be seen within AD and use this to access the Database server. Assign it specific roles within the database to only do what it needs. If someone where to gain control of the DMZ server, they would then need to break the userid/password for the inside database server. Console access to the DMZ server would not be enough to get through the firewall or onto the database server.

Use SSL for your internet application thus allowing you to reduce access to only come in via 443. Then, change the SSL port to something obscure (eg 43215) and check it does not conflict with some other common application just in case.

All you are doing is reducing the chance of an opportunist hacker. If someone is determined, and has your external IP address, they will certainly do enough damage for it to be felt. How much is up to you I guess.


Hope this helps
Barny
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now