Solved

lock user vlan down from accessing server vlan

Posted on 2010-09-02
6
268 Views
Last Modified: 2012-05-10
What is the best way of going about this and is it necessary? I have a user vlan that right now has complete access to the server vlan and I'm wondering if I should lock this down some so they can't do certain things. What ports would you recommend locking the users from accessing on the server vlan?
0
Comment
Question by:justin0104
  • 2
  • 2
6 Comments
 
LVL 8

Accepted Solution

by:
Saineolai earned 500 total points
ID: 33591952
I would reverse the question... what ports do the users need to access on the server vlan.  If you can define this list of ports than you can configure an accesslist to implement it.
0
 

Author Comment

by:justin0104
ID: 33591971
Well we have exchange, AD authentication, SQL, web sites 80 and 443. Would it be best to allow all known good ports 0-1024 and block all other ports above that? I do however want to block rdp and icmp so I know how to do that but do you see any problems with the 0-1024 allow and then everything above that block?
0
 
LVL 8

Assisted Solution

by:Saineolai
Saineolai earned 500 total points
ID: 33592171
See this link for sql ports

http://support.microsoft.com/kb/287932

You would need to get the list of ports for Exchange and AD also.  Do you have printing, and file sharing too?

"Ports 0-1024" are not necessarily "good ports" they are more commonly know as well known ports i.e.  Many of the attacks on windows machines from virus and malware infections come on ports such as TCP 445.

What do you see as the risks that you are trying to defend against by blocking these ports, i.e., malware infections, malicious users etc?
0
 

Author Comment

by:justin0104
ID: 33592191
Alright I'll just look up ports then. You are correct with the malware, viruses and so forth question. This is just a general security policy I am trying to enforce. Right now we do have a server vlan and a user vlan and I realize that they are do separate broadcast domains but just in case I want to have my bases covered.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34459592
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now