Link to home
Start Free TrialLog in
Avatar of InvisibleTerror
InvisibleTerror

asked on

2003 Server with an interface on the internet

In a couple places I have run across Windows Servers sitting directly on the internet with routable IPs on 1 interface and internal Ips on another.   The person that has done this says that it is perfectly fine and safe.  I have a hard time beleiving that to be true, what would be the point of firewalls if that was the case.

So my question is, is that really a good idea and if not why?
Avatar of gidds99
gidds99
Flag of United Kingdom of Great Britain and Northern Ireland image

Firewalls provide additional security and can provide valuable defence where a Windows Server is not adequately secured (or as an additional layer of network security for Internet facing Windows Servers).
if by 'directly' you mean there is no router/firewall between the internet and the server, then you are correct that the setup isn't secure at all.  nothing you do on the server to 'protect' it really does much good since the 'offender' has already hit the server.  that is what the firewall/router needs to prevent.

Avatar of InvisibleTerror
InvisibleTerror

ASKER

Yes that is exactly what I mean.
Agreeing with mikeleebrla ... if indeed the second interface is a direct connect to a router without ACLs and/or firewall in place, this is just as bad a the primary NIC connected to a router with a public IP.  Does the gateway IP route to the "unsecure" NIC? One would assume so or else it would be useless for internet traffic.  Go here and run SheildsUP from the server to check open ports, etc, then show the person:
www.grc.com
FS-
what you describe above sounds like a proxy/load balancing type environment. If properly secured with firewalls and intrusion detection (internal and external for both), then it is safe to use that method. Using a proxy method to hide your internal network schema is typically a recommended practice as it makes it harder for an external hacker to gain access to the servers as they need to compromise both the external proxy (the hardware with the external IP address) along with the internal machine. Firewalls place more of a difficulty level on that as they would also have to compromise the firewalls.
ASKER CERTIFIED SOLUTION
Avatar of CharliePete00
CharliePete00

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial