Solved

lock user vlan down from accessing server vlan

Posted on 2010-09-02
6
276 Views
Last Modified: 2012-05-10
What is the best way of going about this and is it necessary? I have a user vlan that right now has complete access to the server vlan and I'm wondering if I should lock this down some so they can't do certain things. What ports would you recommend locking the users from accessing on the server vlan?
0
Comment
Question by:justin0104
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 8

Accepted Solution

by:
Saineolai earned 500 total points
ID: 33591952
I would reverse the question... what ports do the users need to access on the server vlan.  If you can define this list of ports than you can configure an accesslist to implement it.
0
 

Author Comment

by:justin0104
ID: 33591971
Well we have exchange, AD authentication, SQL, web sites 80 and 443. Would it be best to allow all known good ports 0-1024 and block all other ports above that? I do however want to block rdp and icmp so I know how to do that but do you see any problems with the 0-1024 allow and then everything above that block?
0
 
LVL 8

Assisted Solution

by:Saineolai
Saineolai earned 500 total points
ID: 33592171
See this link for sql ports

http://support.microsoft.com/kb/287932

You would need to get the list of ports for Exchange and AD also.  Do you have printing, and file sharing too?

"Ports 0-1024" are not necessarily "good ports" they are more commonly know as well known ports i.e.  Many of the attacks on windows machines from virus and malware infections come on ports such as TCP 445.

What do you see as the risks that you are trying to defend against by blocking these ports, i.e., malware infections, malicious users etc?
0
 

Author Comment

by:justin0104
ID: 33592191
Alright I'll just look up ports then. You are correct with the malware, viruses and so forth question. This is just a general security policy I am trying to enforce. Right now we do have a server vlan and a user vlan and I realize that they are do separate broadcast domains but just in case I want to have my bases covered.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34459592
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco USB console Windows 8.1 unable to open serial port 4 77
Cisco Phone implementation supported backups 1 36
Cisco RV042G 4 16
Show IP BGP Information 10 43
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question