Solved

lock user vlan down from accessing server vlan

Posted on 2010-09-02
6
277 Views
Last Modified: 2012-05-10
What is the best way of going about this and is it necessary? I have a user vlan that right now has complete access to the server vlan and I'm wondering if I should lock this down some so they can't do certain things. What ports would you recommend locking the users from accessing on the server vlan?
0
Comment
Question by:justin0104
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 8

Accepted Solution

by:
Saineolai earned 500 total points
ID: 33591952
I would reverse the question... what ports do the users need to access on the server vlan.  If you can define this list of ports than you can configure an accesslist to implement it.
0
 

Author Comment

by:justin0104
ID: 33591971
Well we have exchange, AD authentication, SQL, web sites 80 and 443. Would it be best to allow all known good ports 0-1024 and block all other ports above that? I do however want to block rdp and icmp so I know how to do that but do you see any problems with the 0-1024 allow and then everything above that block?
0
 
LVL 8

Assisted Solution

by:Saineolai
Saineolai earned 500 total points
ID: 33592171
See this link for sql ports

http://support.microsoft.com/kb/287932

You would need to get the list of ports for Exchange and AD also.  Do you have printing, and file sharing too?

"Ports 0-1024" are not necessarily "good ports" they are more commonly know as well known ports i.e.  Many of the attacks on windows machines from virus and malware infections come on ports such as TCP 445.

What do you see as the risks that you are trying to defend against by blocking these ports, i.e., malware infections, malicious users etc?
0
 

Author Comment

by:justin0104
ID: 33592191
Alright I'll just look up ports then. You are correct with the malware, viruses and so forth question. This is just a general security policy I am trying to enforce. Right now we do have a server vlan and a user vlan and I realize that they are do separate broadcast domains but just in case I want to have my bases covered.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 34459592
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
QoS on Cisco router 10 62
BGP Local Preference 5 80
Bizarre IP Address / Port Blocking Windows 7 13 82
Ping in Fortigate 2 62
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question