kennethfine
asked on
High level: configuring a hardware firewall for a Windows DC/AD/DNS?
I have configured software firewalls on servers in the past, so I am not a complete newb on these issues.
I will shortly have a fancy hardware firewall/security product coming my way.
http://www.buy.com/prod/netgear-prosafe-dual-wan-gigabit-vpn-firewall-4-x-10-100-1000base-t/q/loc/101/205877562.html
Since I have more servers than this thing has ports, I also have a fancy gigabit switch coming my way:
http://www.netgear.com/Products/Switches/SmartSwitches/GS724T.aspx
I have set up DNS, several domain controllers, and SQL Server databases. My plan is to have the DCs "behind" the firewall and several IIS servers serving traffic. It would be nice if I can set up VPN so that remote users could access the file store.
I need to know at a high level what I should be doing to configure
a) the firewall for the DCs
b) the firewall for the DNS now and later (the DNS currently is improperly combined with the DCs)
c) the IIS boxes.
If there are "gotchas" to watch out for please advise. If there are best practices or resources please advise. Our staff is extremely limited (me) and our budget is somewhat limited, so what we need to do needs to live in our real world vs. what I might ideally do with $30,000 more to spend.
Keep in mind that I am familiar with the concepts of port blocking. Not familiar at all with "port forwarding" "tunnelling" and other things that will probably have to happen to make this all work. If you can define the basic concepts along the way I would very much appreciate it.
Thanks so much for your high-level guidance on how this should all fit.
I will shortly have a fancy hardware firewall/security product coming my way.
http://www.buy.com/prod/netgear-prosafe-dual-wan-gigabit-vpn-firewall-4-x-10-100-1000base-t/q/loc/101/205877562.html
Since I have more servers than this thing has ports, I also have a fancy gigabit switch coming my way:
http://www.netgear.com/Products/Switches/SmartSwitches/GS724T.aspx
I have set up DNS, several domain controllers, and SQL Server databases. My plan is to have the DCs "behind" the firewall and several IIS servers serving traffic. It would be nice if I can set up VPN so that remote users could access the file store.
I need to know at a high level what I should be doing to configure
a) the firewall for the DCs
b) the firewall for the DNS now and later (the DNS currently is improperly combined with the DCs)
c) the IIS boxes.
If there are "gotchas" to watch out for please advise. If there are best practices or resources please advise. Our staff is extremely limited (me) and our budget is somewhat limited, so what we need to do needs to live in our real world vs. what I might ideally do with $30,000 more to spend.
Keep in mind that I am familiar with the concepts of port blocking. Not familiar at all with "port forwarding" "tunnelling" and other things that will probably have to happen to make this all work. If you can define the basic concepts along the way I would very much appreciate it.
Thanks so much for your high-level guidance on how this should all fit.
Don S.
Nothing to do for the DCs and DNSs as long as they are all on the inside (lan side) of the prosafe firewall. Your prosafe will only allow you to publish one server per port to the ouside world so if you have multiple IIS servers that you want the internet to see, the Prosafe is not going to do it for you.
ASKER
Thanks much. Would it be a rational approach to put the IIS boxes on the outside and protect them via software firewall, and figure out some mechanism for them to communicate as necessary with server resources on the LAN side?
What are my options? Seems one choice might be an el-cheapo firewall for each of the IIS boxes.
You're saying no configuration is going to be required for the servers behind the firewalls? How are DNS requests going to get routed to the DNS servers ? What is the "traffic flow", again? I think I understand this but I want to confirm?
What are my options? Seems one choice might be an el-cheapo firewall for each of the IIS boxes.
You're saying no configuration is going to be required for the servers behind the firewalls? How are DNS requests going to get routed to the DNS servers ? What is the "traffic flow", again? I think I understand this but I want to confirm?
We have a web setup a lot like what you are doing (only a bit larger) here's how I did it.
Everything is behind the outside firewalls, they plug into a switch, web servers also plug into that switch. I have a second set of firewalls that connect to switch, and all other servers sit behind those firewalls. So its a two firewall solution.
A few notes:
This can be done with with access list and vlans with one firewall if you want to control access from the web servers to AD/SQL/File servers/backup servers whatever.
A real important note here is that once you open ports for AD, SQL, File Srevers, backups server etc from your front end web servers into your "secure" back end you might as well not have a firewall there at all.
Some other network admins will just put everything behind one firewall and really make sure everything is locked down and thats good enough. In your case, that might be a good way to start.
Everything is behind the outside firewalls, they plug into a switch, web servers also plug into that switch. I have a second set of firewalls that connect to switch, and all other servers sit behind those firewalls. So its a two firewall solution.
A few notes:
This can be done with with access list and vlans with one firewall if you want to control access from the web servers to AD/SQL/File servers/backup servers whatever.
A real important note here is that once you open ports for AD, SQL, File Srevers, backups server etc from your front end web servers into your "secure" back end you might as well not have a firewall there at all.
Some other network admins will just put everything behind one firewall and really make sure everything is locked down and thats good enough. In your case, that might be a good way to start.
ASKER
Thanks much, cblake. Anything is going to be a vast improvement over what we've had to date.
I am assuming here that the IIS servers make DNS-related requests to the DNS servers, and because they're on the same LAN everything works fine. Is that correct? Is there any other source of DNS-related traffic? I am still a little sketchy on how DNS servers that are behind firewalls mediate DNS requests. If this is a big topic maybe I should open a new EE question.
I assume an access list is a machine-specific entry to the firewall allowing access?
I assume a vlan is a virtual lan that allows LAN-esque connections between servers that might not actually be on the same subnet/in the same LAN? is that correct?
I am assuming here that the IIS servers make DNS-related requests to the DNS servers, and because they're on the same LAN everything works fine. Is that correct? Is there any other source of DNS-related traffic? I am still a little sketchy on how DNS servers that are behind firewalls mediate DNS requests. If this is a big topic maybe I should open a new EE question.
I assume an access list is a machine-specific entry to the firewall allowing access?
I assume a vlan is a virtual lan that allows LAN-esque connections between servers that might not actually be on the same subnet/in the same LAN? is that correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.