Solved

Locking down Firewall in Cloud VM Environment

Posted on 2014-10-07
1
483 Views
Last Modified: 2014-10-22
Hello,

We are building a network at rackspace with 2012 windows server.  this network will have a DC, SQL and application vms.  I am trying figure out the best way to lock these vms down for security.  Can someone point me in the right direction to accomplish the following:

1. DC - only need to have the private network to be able to have incoming connections to this server.
2. SLQ - same as DC

Each VM comes with an internal network virtual NIC (192.168.4.0) and an external that is public facing.  We need to lock down that public facing NIC.

is it as easy as using the built in policies?
0
Comment
Question by:posae
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40367674
the segregation via VLAN and subnetting is just splitting them to the typical 3-tier architecture which FW has to be guarding the authorised traffic to/fro in each tier enforcement. I suppose your "Locking down Firewall .." is referring to two aspects namely
a) Tier lockdown on FW enforcement policy btw the servers
b) Administrative lockdown of FW policy

I suggest the a/m have in reference to these practices as a start and further tighten based on the necessary port and appls transaction required btw tier. Also enforce least privileged based on role in administering the FW policy
http://www.rackspace.com/knowledge_center/article/windows-server-security-best-practices
For those servers that will be interacting with the public Internet with no firewall device (by default, the Rackspace Public Cloud Servers do not come with a firewall device), the Windows firewall is the only protection that you have between your server resources and your private data and anybody with access to an Internet connection. Disabling as many rules as possible means opening the fewest ports that are listening over the public interface, which means the least amount of exposure to anyone trying to gain access to your server.

For those ports that must be opened, you should limit access to the server by whitelisting IP addresses in those specific rules. It's common for users to have accounts through their ISPs with dynamic public IP addresses that change over time.

By limiting access to the server via IP address whitelisting, you can ensure that those who need access to the server have it, and those who don't will be blocked from those open ports.

In addition to being aware of how much these servers are exposed to the Internet through open firewall ports, you should consider what data is available to others via file sharing. We do not recommend enabling Windows file sharing because the ports that are opened on the firewall expose the server to unwanted attempts to connect to the server over ports 445 and 139.
Overall, the Windows firewall is just as fine for most applications. As with running any server, start out with a default deny policy and open up only the ports that you need. More importantly, is ensure your application software is secure..

Separately, there are other "agent" based solution to further lockdown administrative port access and is as of on-demand basis, such as Dome9 in this stated http://www.dome9.com/blog/rackspace-cloud-server-security-tip-1
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How often Should you reconcile DHCP manually? 1 65
802.1X auth setup and configuration 3 40
Remote desktop connection frequent connection lost 5 53
BgInfo help 5 63
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question