increase security for the firewall

Posted on 2006-03-28
Last Modified: 2013-11-16
I need advice on how to increase security for the firewall...
Right now all the ports are closed except two of them becasue the internet application needs to reach the database to update the information in the database.
If someone were to compromise the web server, they could easily get to all the databases located on the server which can be accessed from the internet in order for the code to to update the databases.  I need to find a way to lock this down, and still have the application connect to the database.
Is there a way?  If not, is there a way to increase security?
Is there a way to hide which ports are open from hackers?
Question by:Gemini532
    LVL 18

    Expert Comment

    I supposed if they were on two different internal subnets that had traffic betwen them channel through the firewall... but even that won't solve what you're trying to do.

    Any ports open would be visible by anyone who is within an arm's length of that server. One thing you could do is have the database server drop any ICMP traffic via something like a software firewall. That would prevent things like pings. Maybe you should look at better securing each server... for example, using IISLockdown on the web server (assuming it runs Windows and IIS on it).

    However, anything that's left open to the world will always have a shot at being exploited... hence why you try to open up as little as possible. And you'll also want to make sure anything that doesn't need to be accessed by the outside is behind as much protection as possible.
    LVL 18

    Assisted Solution

    You can always look into hardening the OS on the servers... you want to make it as hard as possible for people to exploit the servers in the first place. Nothing is 100% secure tho. Getting rid of unneeded parts of the OS, things like that.
    LVL 9

    Accepted Solution

    One question. Are your users trusted or not? (ie, your staff or just joe public). If trusted then use hard token authentication and encryption to keep anyone else out at the entry point. This removes the need for too much inside protection.

    The obvious but 'expensive' way is to create a DMZ that has a web server (or a top tier presentation layer server) which has the access. Then database calls could be controlled through the firewall to only allow traffic to hit the database server from the DMZ server, not the outside.
    Then, you would be able to limit the access to the database server, thus adding another layer that would need to be breached.

    Next, add in a service account that cannot be seen within AD and use this to access the Database server. Assign it specific roles within the database to only do what it needs. If someone where to gain control of the DMZ server, they would then need to break the userid/password for the inside database server. Console access to the DMZ server would not be enough to get through the firewall or onto the database server.

    Use SSL for your internet application thus allowing you to reduce access to only come in via 443. Then, change the SSL port to something obscure (eg 43215) and check it does not conflict with some other common application just in case.

    All you are doing is reducing the chance of an opportunist hacker. If someone is determined, and has your external IP address, they will certainly do enough damage for it to be felt. How much is up to you I guess.

    Hope this helps

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    FTP Site 4 79
    check firmware version - draytek vigor 2860 2 31
    assessing firewall rules 3 66
    Fortinet FWs backdoor vulnerability 3 81
    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    26 Experts available now in Live!

    Get 1:1 Help Now