Solved

lock user vlan down from accessing server vlan

Posted on 2010-09-02
6
278 Views
Last Modified: 2012-05-10
What is the best way of going about this and is it necessary? I have a user vlan that right now has complete access to the server vlan and I'm wondering if I should lock this down some so they can't do certain things. What ports would you recommend locking the users from accessing on the server vlan?
0
Comment
Question by:justin0104
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 8

Accepted Solution

by:
Saineolai earned 500 total points
ID: 33591952
I would reverse the question... what ports do the users need to access on the server vlan.  If you can define this list of ports than you can configure an accesslist to implement it.
0
 

Author Comment

by:justin0104
ID: 33591971
Well we have exchange, AD authentication, SQL, web sites 80 and 443. Would it be best to allow all known good ports 0-1024 and block all other ports above that? I do however want to block rdp and icmp so I know how to do that but do you see any problems with the 0-1024 allow and then everything above that block?
0
 
LVL 8

Assisted Solution

by:Saineolai
Saineolai earned 500 total points
ID: 33592171
See this link for sql ports

http://support.microsoft.com/kb/287932

You would need to get the list of ports for Exchange and AD also.  Do you have printing, and file sharing too?

"Ports 0-1024" are not necessarily "good ports" they are more commonly know as well known ports i.e.  Many of the attacks on windows machines from virus and malware infections come on ports such as TCP 445.

What do you see as the risks that you are trying to defend against by blocking these ports, i.e., malware infections, malicious users etc?
0
 

Author Comment

by:justin0104
ID: 33592191
Alright I'll just look up ports then. You are correct with the malware, viruses and so forth question. This is just a general security policy I am trying to enforce. Right now we do have a server vlan and a user vlan and I realize that they are do separate broadcast domains but just in case I want to have my bases covered.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 34459592
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month7 days, 10 hours left to enroll

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question