• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 433
  • Last Modified:

Restrict Network Access

How do I restrict network access on a server so it cannot browse out on its subnet or anyone on that subnet can access it?

The server is in an vmware environment.   Using a Sonicwall NSA 2400 for firewall.
0
red_75116
Asked:
red_75116
  • 3
  • 2
  • 2
  • +2
5 Solutions
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
What network restrictions do you want to apply to the server?
0
 
bgoeringCommented:
If the control is on a subnet local to the server the external firewall will not be of much use. You would have to implement access rules within a host based firewall running on the server itself.

What kind of server is it?
0
 
red_75116Author Commented:
Windows 2008 32bit.

It is a webserver, which will have an external IP address, but I don't want any internal access to it or for it to access anything internal.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Aaron TomoskyTechnology ConsultantCommented:
So you want it in the DMZ? External address only no internal LAN address.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
i would agree DMZ, with port 80 or 443 through the firewall, with no internal lan access to DMZ.
0
 
Aaron TomoskyTechnology ConsultantCommented:
On the sonicwall you can make other zones aside from the dmz, if you can plug it into a seperate port than the standard LAN. This would be my favorite so that if you wanted to you could make a rule allowing a developer access to the box for updates or something.
0
 
bgoeringCommented:
Your best bet would be to split the server off to another subnet completely seperate from your internal LAN. This would provide the best security.

You could look at a virtual firewall such as m0n0wall to accomplish this type of setup. You could also add a nic, vswitch, and portgroup on your VMware server and connect it to another interface on your sonicwall to create your DMZ. I am not real familier with the sonicwall but it appears that it supports up to 6 interfaces.

Alternatively, as mentioned you could use your windows firewall to create packet filtering rules such as:

allow server ip access to gateway on network
deny server ip access to internal subnet

those two will prevent the server contacting anything internal except the gateway

deny internal subnet access to server ip

this rule will disallow any internal machines to access the server

Good Luck
0
 
digitapCommented:
The collective advice here is right on. To use the sonicwall to manage your virtual server in a virtual environment, you'll need to connect the server to a physical interface on the sonicwall putting it in a different subnet. Whether you create a true DMZ where the interface is transparent such that your server has a public IP address or if you create a new private subnet. The challenge is to get the virtual server physically connected to the sonicwall interface. I think that bgoering has the right idea in adding a physical nic and binding your virtual server to that nic connecting the physical nic to the sonicwall interface.
0
 
bgoeringCommented:
I think the additional nic and vswitch and using the existing sonicwall also to be the best solution. I throw out the m0n0wall solution (http://m0n0.ch) for the case where there may not be an easy way to add another network -- say no extra nic, switch, etc. In such a case there are virtual firewalls such as m0n0wall, pfSense, Vyatta, etc. that may be employed to isolate the web server to a seperate network internal only to the VMware server. A bit more cumbersome, but workable if the user is limited by available hardware to utilizie the sonicwall.

Either way can protect the inside network from the dmz server.
0
 
digitapCommented:
And, the reason for the separate NIC is that if you have multiple virtual guests, they may use the same physical NIC.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now