• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 532
  • Last Modified:

Locking down Firewall in Cloud VM Environment

Hello,

We are building a network at rackspace with 2012 windows server.  this network will have a DC, SQL and application vms.  I am trying figure out the best way to lock these vms down for security.  Can someone point me in the right direction to accomplish the following:

1. DC - only need to have the private network to be able to have incoming connections to this server.
2. SLQ - same as DC

Each VM comes with an internal network virtual NIC (192.168.4.0) and an external that is public facing.  We need to lock down that public facing NIC.

is it as easy as using the built in policies?
0
posae
Asked:
posae
1 Solution
 
btanExec ConsultantCommented:
the segregation via VLAN and subnetting is just splitting them to the typical 3-tier architecture which FW has to be guarding the authorised traffic to/fro in each tier enforcement. I suppose your "Locking down Firewall .." is referring to two aspects namely
a) Tier lockdown on FW enforcement policy btw the servers
b) Administrative lockdown of FW policy

I suggest the a/m have in reference to these practices as a start and further tighten based on the necessary port and appls transaction required btw tier. Also enforce least privileged based on role in administering the FW policy
http://www.rackspace.com/knowledge_center/article/windows-server-security-best-practices
For those servers that will be interacting with the public Internet with no firewall device (by default, the Rackspace Public Cloud Servers do not come with a firewall device), the Windows firewall is the only protection that you have between your server resources and your private data and anybody with access to an Internet connection. Disabling as many rules as possible means opening the fewest ports that are listening over the public interface, which means the least amount of exposure to anyone trying to gain access to your server.

For those ports that must be opened, you should limit access to the server by whitelisting IP addresses in those specific rules. It's common for users to have accounts through their ISPs with dynamic public IP addresses that change over time.

By limiting access to the server via IP address whitelisting, you can ensure that those who need access to the server have it, and those who don't will be blocked from those open ports.

In addition to being aware of how much these servers are exposed to the Internet through open firewall ports, you should consider what data is available to others via file sharing. We do not recommend enabling Windows file sharing because the ports that are opened on the firewall expose the server to unwanted attempts to connect to the server over ports 445 and 139.
Overall, the Windows firewall is just as fine for most applications. As with running any server, start out with a default deny policy and open up only the ports that you need. More importantly, is ensure your application software is secure..

Separately, there are other "agent" based solution to further lockdown administrative port access and is as of on-demand basis, such as Dome9 in this stated http://www.dome9.com/blog/rackspace-cloud-server-security-tip-1
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now