?
Solved

How to set security group of amazon cloud to safely allow ports like FTP, MSDTC, MSMQ and filesharing etc.,

Posted on 2011-02-17
6
Medium Priority
?
1,100 Views
Last Modified: 2016-03-23
Hi Experts,

Currently launched few servers on Amazon cloud and I am looking for some security solution for cloud servers.

1. Looking for a tool where i can store all instances ip address with servername and use them to remote login when ever required instead of looking in to document everytime. If the tool has secured(encrypted login) login would be great.


2. Right now i have put rules in security group such a way that the RDP occurs only through corporate firewall by making entry as below.

Protocol   from port       to port    source ip
RDP  tcp    3389           3389      firewall ip/34


Similarly i want to secure other ports opened for sql, ftp and msmq etc.,

I cannot make same rule as ftp is used by clients.
other sql and msmq ports are opened as sql installed on different instances has to communicate. How do i make a rule that this communication should happen across onlu cloud infra?


rotocol   from port       to port    source ip
-  tcp       21                  21             0.0.0.0/0
-  tcp      1023           1024      0.0.0.0/0
- tcp       3372            3372      0.0.0.0/0

How do i make sure that allowing these ports are secure or safe. Is there a solution to make these ports open but from only cloud servers or from my office network?

Please help. thnx in advance.
0
Comment
Question by:anuboggaram
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 33

Accepted Solution

by:
shalomc earned 2000 total points
ID: 34923814
The Password Vault by Cyber-Ark stores servers' addresses, user names, and passwords. It manages authorization to the login credentials, and supports remote connections out of the tool.

http://www.cyber-ark.com/digital-vault-products/pim-suite/enterprise-password-vault/index.asp

To improve the network security, you have several options.
Obviously you know how to limit IP access to EC2 from your office network. To limit IP access only from the cloud servers, you use CIDR of 10.0.0.0/8

The other option is to have a Virtual Private Cloud in EC2.
There are 2 methods to achieve this.
Amazon VPC lets you define a subnet in EC2, connect it via VPN to your office network, and launch servers in your own IP addressing scheme with your own policies.

There are commercial products like Epiforce that let you create secure private networks in virtualized environments.
http://www.apani.com/products/epiforce/overview.html
0
 

Author Comment

by:anuboggaram
ID: 34924698
First of all thanks for the quick response.

I will go through the tool and see how far i can utilise it.
Coming to security group for limiting access among only cloud servers -
when i enter 10.0.0.0/8 for 445, & 1433\34 files are not shared among cloud servers and sql is not getting connected to another sql on different instance, Links server is not working respectively.

How to restrict all these ports to cloud instances??



0
 
LVL 33

Assisted Solution

by:shalomc
shalomc earned 2000 total points
ID: 35355427
anuboggaram,

Maybe my answer was not clear. Let me explain a bit more about EC2 security groups.
You can restrict access based on IP addressing, or based on Server Roles.
A server role can be mapped into a security group, and these can then be used as a reference to the firewall permissions.

Scenario 1:  
you have several EC2 servers that should be open between themselves to all ports, but closed to the outside world. You want all of them to be accessible via RDP but only from your office network that has a public IP address of w.x.y.z
Set up a new security group "anuboggaram", define inside a rule that allows all ports to group  "anuboggaram", define another rule that opens port 3389 to CIDR w.x.y.z/32.

Scenario 2:
You have several web/application servers, and a database server.
You want to provide access to the database only from the web servers, and the web servers to transport files among themselves via FTP.
Set up a new security group "webservers", define inside a rule that allows port 21 to group  "webservers". Assign this security group to the web servers.
Create another security group "databases",  define inside a rule that allows the database ports to security group  "webservers". Assign the "databases" security group to the SQL server.

Add port 3389 to CIDR w.x.y.z/32 if you need RDP access from your office network.

0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35414454
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month12 days, 4 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question