Solved

High level: configuring a hardware firewall for a Windows DC/AD/DNS?

Posted on 2008-06-24
5
324 Views
Last Modified: 2012-06-27
I have configured software firewalls on servers in the past, so I am not a complete newb on these issues.

I will shortly have a fancy hardware firewall/security product coming my way.
http://www.buy.com/prod/netgear-prosafe-dual-wan-gigabit-vpn-firewall-4-x-10-100-1000base-t/q/loc/101/205877562.html
Since I have more servers than this thing has ports, I also have a fancy gigabit switch coming my way:
http://www.netgear.com/Products/Switches/SmartSwitches/GS724T.aspx

I have set up DNS, several domain controllers, and SQL Server databases. My plan is to have the DCs "behind" the firewall and several IIS servers serving traffic. It would be nice if I can set up VPN so that remote users could access the file store.

I need to know at a high level what I should be doing to configure
a) the firewall for the DCs
b) the firewall for the DNS now and later (the DNS currently is improperly combined with the DCs)
c) the IIS boxes.

If there are "gotchas" to watch out for please advise. If there are best practices or resources please advise. Our staff is extremely limited (me) and our budget is somewhat limited, so what we need to do needs to live in our real world vs. what I might ideally do with $30,000 more to spend.

Keep in mind that I am familiar with the concepts of port blocking. Not familiar at all with "port forwarding" "tunnelling" and other things that will probably have to happen to make this all work. If you can define the basic concepts along the way I would very much appreciate it.

Thanks so much for your high-level guidance on how this should all fit.
0
Comment
Question by:kennethfine
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:Don S.
ID: 21861741
Nothing to do for the DCs and DNSs as long as they are all on the inside (lan side) of the prosafe firewall.  Your prosafe will only allow you to publish one server per port to the ouside world so if you have multiple IIS servers that you want the internet to see, the Prosafe is not going to do it for you.
0
 
LVL 6

Author Comment

by:kennethfine
ID: 21862123
Thanks much. Would it be a rational approach to put the IIS boxes on the outside and protect them via software firewall, and figure out some mechanism for them to communicate as necessary with server resources on the LAN side?

What are my options? Seems one choice might be an el-cheapo firewall for each of the IIS boxes.

You're saying no configuration is going to be required for the servers behind the firewalls? How are DNS requests going to get routed to the DNS servers ? What is the "traffic flow", again? I think I understand this but I want to confirm?

0
 
LVL 1

Expert Comment

by:cblakeJT
ID: 21862613
We have a web setup a lot like what you are doing (only a bit larger) here's how I did it.

Everything is behind the outside firewalls, they plug into a switch, web servers also plug into that switch. I have a second set of firewalls that connect to switch, and all other servers sit behind those firewalls. So its a two firewall solution.

A few notes:

This can be done with with access list and vlans with one firewall if you want to control access from the web servers to AD/SQL/File servers/backup servers whatever.

A real important note here is that once you open ports for AD, SQL, File Srevers, backups server etc from your front end web servers into your "secure" back end you might as well not have a firewall there at all.

Some other network admins will just put everything behind one firewall and really make sure everything is locked down and thats good enough. In your case, that might be a good way to start.
0
 
LVL 6

Author Comment

by:kennethfine
ID: 21862761
Thanks much, cblake. Anything is going to be a vast improvement over what we've had to date.

I am assuming here that the IIS servers make DNS-related requests to the DNS servers, and because they're on the same LAN everything works fine. Is that correct? Is there any other  source of DNS-related traffic? I am still a little sketchy on how DNS servers that are behind firewalls mediate DNS requests. If this is a big topic maybe I should open a new EE question.

I assume an access list is a machine-specific entry to the firewall allowing access?

I assume a vlan is a virtual lan that allows LAN-esque connections between servers that might not actually be on the same subnet/in the same LAN? is that correct?
0
 
LVL 1

Accepted Solution

by:
cblakeJT earned 500 total points
ID: 21862992
Just about everything you want to do can be solved via access list and NAT.

1) Lets say you have a public IP for website 1, you have an access list to allow http and https traffic in from that IP. You can then have a NAT rule that says HTTP and HTTPS traffic from that public IP forwards to THIS internal IP.

2) You can do the above for anything you want, web, DNS, mail etc. Its best to limited the number of outside ports you allow in for security.

This will give you a good basic security setup.

To go more into it, some people have internal DNS, so that workstations other servers etc can access resources within the secured network, and a public DNS server that takes care of things like www.mywebsite.com maps to this IP. There are many firms that offer DNS hosting and that can make life really easy as well.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Resolve DNS query failed errors for Exchange
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now