Solved

High level: configuring a hardware firewall for a Windows DC/AD/DNS?

Posted on 2008-06-24
5
329 Views
Last Modified: 2012-06-27
I have configured software firewalls on servers in the past, so I am not a complete newb on these issues.

I will shortly have a fancy hardware firewall/security product coming my way.
http://www.buy.com/prod/netgear-prosafe-dual-wan-gigabit-vpn-firewall-4-x-10-100-1000base-t/q/loc/101/205877562.html
Since I have more servers than this thing has ports, I also have a fancy gigabit switch coming my way:
http://www.netgear.com/Products/Switches/SmartSwitches/GS724T.aspx

I have set up DNS, several domain controllers, and SQL Server databases. My plan is to have the DCs "behind" the firewall and several IIS servers serving traffic. It would be nice if I can set up VPN so that remote users could access the file store.

I need to know at a high level what I should be doing to configure
a) the firewall for the DCs
b) the firewall for the DNS now and later (the DNS currently is improperly combined with the DCs)
c) the IIS boxes.

If there are "gotchas" to watch out for please advise. If there are best practices or resources please advise. Our staff is extremely limited (me) and our budget is somewhat limited, so what we need to do needs to live in our real world vs. what I might ideally do with $30,000 more to spend.

Keep in mind that I am familiar with the concepts of port blocking. Not familiar at all with "port forwarding" "tunnelling" and other things that will probably have to happen to make this all work. If you can define the basic concepts along the way I would very much appreciate it.

Thanks so much for your high-level guidance on how this should all fit.
0
Comment
Question by:kennethfine
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:Don S.
ID: 21861741
Nothing to do for the DCs and DNSs as long as they are all on the inside (lan side) of the prosafe firewall.  Your prosafe will only allow you to publish one server per port to the ouside world so if you have multiple IIS servers that you want the internet to see, the Prosafe is not going to do it for you.
0
 
LVL 6

Author Comment

by:kennethfine
ID: 21862123
Thanks much. Would it be a rational approach to put the IIS boxes on the outside and protect them via software firewall, and figure out some mechanism for them to communicate as necessary with server resources on the LAN side?

What are my options? Seems one choice might be an el-cheapo firewall for each of the IIS boxes.

You're saying no configuration is going to be required for the servers behind the firewalls? How are DNS requests going to get routed to the DNS servers ? What is the "traffic flow", again? I think I understand this but I want to confirm?

0
 
LVL 1

Expert Comment

by:cblakeJT
ID: 21862613
We have a web setup a lot like what you are doing (only a bit larger) here's how I did it.

Everything is behind the outside firewalls, they plug into a switch, web servers also plug into that switch. I have a second set of firewalls that connect to switch, and all other servers sit behind those firewalls. So its a two firewall solution.

A few notes:

This can be done with with access list and vlans with one firewall if you want to control access from the web servers to AD/SQL/File servers/backup servers whatever.

A real important note here is that once you open ports for AD, SQL, File Srevers, backups server etc from your front end web servers into your "secure" back end you might as well not have a firewall there at all.

Some other network admins will just put everything behind one firewall and really make sure everything is locked down and thats good enough. In your case, that might be a good way to start.
0
 
LVL 6

Author Comment

by:kennethfine
ID: 21862761
Thanks much, cblake. Anything is going to be a vast improvement over what we've had to date.

I am assuming here that the IIS servers make DNS-related requests to the DNS servers, and because they're on the same LAN everything works fine. Is that correct? Is there any other  source of DNS-related traffic? I am still a little sketchy on how DNS servers that are behind firewalls mediate DNS requests. If this is a big topic maybe I should open a new EE question.

I assume an access list is a machine-specific entry to the firewall allowing access?

I assume a vlan is a virtual lan that allows LAN-esque connections between servers that might not actually be on the same subnet/in the same LAN? is that correct?
0
 
LVL 1

Accepted Solution

by:
cblakeJT earned 500 total points
ID: 21862992
Just about everything you want to do can be solved via access list and NAT.

1) Lets say you have a public IP for website 1, you have an access list to allow http and https traffic in from that IP. You can then have a NAT rule that says HTTP and HTTPS traffic from that public IP forwards to THIS internal IP.

2) You can do the above for anything you want, web, DNS, mail etc. Its best to limited the number of outside ports you allow in for security.

This will give you a good basic security setup.

To go more into it, some people have internal DNS, so that workstations other servers etc can access resources within the secured network, and a public DNS server that takes care of things like www.mywebsite.com maps to this IP. There are many firms that offer DNS hosting and that can make life really easy as well.
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question