Solved

Locking down Firewall in Cloud VM Environment

Posted on 2014-10-07
1
474 Views
Last Modified: 2014-10-22
Hello,

We are building a network at rackspace with 2012 windows server.  this network will have a DC, SQL and application vms.  I am trying figure out the best way to lock these vms down for security.  Can someone point me in the right direction to accomplish the following:

1. DC - only need to have the private network to be able to have incoming connections to this server.
2. SLQ - same as DC

Each VM comes with an internal network virtual NIC (192.168.4.0) and an external that is public facing.  We need to lock down that public facing NIC.

is it as easy as using the built in policies?
0
Comment
Question by:posae
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40367674
the segregation via VLAN and subnetting is just splitting them to the typical 3-tier architecture which FW has to be guarding the authorised traffic to/fro in each tier enforcement. I suppose your "Locking down Firewall .." is referring to two aspects namely
a) Tier lockdown on FW enforcement policy btw the servers
b) Administrative lockdown of FW policy

I suggest the a/m have in reference to these practices as a start and further tighten based on the necessary port and appls transaction required btw tier. Also enforce least privileged based on role in administering the FW policy
http://www.rackspace.com/knowledge_center/article/windows-server-security-best-practices
For those servers that will be interacting with the public Internet with no firewall device (by default, the Rackspace Public Cloud Servers do not come with a firewall device), the Windows firewall is the only protection that you have between your server resources and your private data and anybody with access to an Internet connection. Disabling as many rules as possible means opening the fewest ports that are listening over the public interface, which means the least amount of exposure to anyone trying to gain access to your server.

For those ports that must be opened, you should limit access to the server by whitelisting IP addresses in those specific rules. It's common for users to have accounts through their ISPs with dynamic public IP addresses that change over time.

By limiting access to the server via IP address whitelisting, you can ensure that those who need access to the server have it, and those who don't will be blocked from those open ports.

In addition to being aware of how much these servers are exposed to the Internet through open firewall ports, you should consider what data is available to others via file sharing. We do not recommend enabling Windows file sharing because the ports that are opened on the firewall expose the server to unwanted attempts to connect to the server over ports 445 and 139.
Overall, the Windows firewall is just as fine for most applications. As with running any server, start out with a default deny policy and open up only the ports that you need. More importantly, is ensure your application software is secure..

Separately, there are other "agent" based solution to further lockdown administrative port access and is as of on-demand basis, such as Dome9 in this stated http://www.dome9.com/blog/rackspace-cloud-server-security-tip-1
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Know what services you can and cannot, should and should not combine on your server.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question