Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

lock user vlan down from accessing server vlan

Posted on 2010-09-02
6
Medium Priority
?
283 Views
Last Modified: 2012-05-10
What is the best way of going about this and is it necessary? I have a user vlan that right now has complete access to the server vlan and I'm wondering if I should lock this down some so they can't do certain things. What ports would you recommend locking the users from accessing on the server vlan?
0
Comment
Question by:justin0104
  • 2
  • 2
6 Comments
 
LVL 8

Accepted Solution

by:
Saineolai earned 2000 total points
ID: 33591952
I would reverse the question... what ports do the users need to access on the server vlan.  If you can define this list of ports than you can configure an accesslist to implement it.
0
 

Author Comment

by:justin0104
ID: 33591971
Well we have exchange, AD authentication, SQL, web sites 80 and 443. Would it be best to allow all known good ports 0-1024 and block all other ports above that? I do however want to block rdp and icmp so I know how to do that but do you see any problems with the 0-1024 allow and then everything above that block?
0
 
LVL 8

Assisted Solution

by:Saineolai
Saineolai earned 2000 total points
ID: 33592171
See this link for sql ports

http://support.microsoft.com/kb/287932

You would need to get the list of ports for Exchange and AD also.  Do you have printing, and file sharing too?

"Ports 0-1024" are not necessarily "good ports" they are more commonly know as well known ports i.e.  Many of the attacks on windows machines from virus and malware infections come on ports such as TCP 445.

What do you see as the risks that you are trying to defend against by blocking these ports, i.e., malware infections, malicious users etc?
0
 

Author Comment

by:justin0104
ID: 33592191
Alright I'll just look up ports then. You are correct with the malware, viruses and so forth question. This is just a general security policy I am trying to enforce. Right now we do have a server vlan and a user vlan and I realize that they are do separate broadcast domains but just in case I want to have my bases covered.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 34459592
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question