Locking down Firewall in Cloud VM Environment

Hello,

We are building a network at rackspace with 2012 windows server.  this network will have a DC, SQL and application vms.  I am trying figure out the best way to lock these vms down for security.  Can someone point me in the right direction to accomplish the following:

1. DC - only need to have the private network to be able to have incoming connections to this server.
2. SLQ - same as DC

Each VM comes with an internal network virtual NIC (192.168.4.0) and an external that is public facing.  We need to lock down that public facing NIC.

is it as easy as using the built in policies?
posaeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
the segregation via VLAN and subnetting is just splitting them to the typical 3-tier architecture which FW has to be guarding the authorised traffic to/fro in each tier enforcement. I suppose your "Locking down Firewall .." is referring to two aspects namely
a) Tier lockdown on FW enforcement policy btw the servers
b) Administrative lockdown of FW policy

I suggest the a/m have in reference to these practices as a start and further tighten based on the necessary port and appls transaction required btw tier. Also enforce least privileged based on role in administering the FW policy
http://www.rackspace.com/knowledge_center/article/windows-server-security-best-practices
For those servers that will be interacting with the public Internet with no firewall device (by default, the Rackspace Public Cloud Servers do not come with a firewall device), the Windows firewall is the only protection that you have between your server resources and your private data and anybody with access to an Internet connection. Disabling as many rules as possible means opening the fewest ports that are listening over the public interface, which means the least amount of exposure to anyone trying to gain access to your server.

For those ports that must be opened, you should limit access to the server by whitelisting IP addresses in those specific rules. It's common for users to have accounts through their ISPs with dynamic public IP addresses that change over time.

By limiting access to the server via IP address whitelisting, you can ensure that those who need access to the server have it, and those who don't will be blocked from those open ports.

In addition to being aware of how much these servers are exposed to the Internet through open firewall ports, you should consider what data is available to others via file sharing. We do not recommend enabling Windows file sharing because the ports that are opened on the firewall expose the server to unwanted attempts to connect to the server over ports 445 and 139.
Overall, the Windows firewall is just as fine for most applications. As with running any server, start out with a default deny policy and open up only the ports that you need. More importantly, is ensure your application software is secure..

Separately, there are other "agent" based solution to further lockdown administrative port access and is as of on-demand basis, such as Dome9 in this stated http://www.dome9.com/blog/rackspace-cloud-server-security-tip-1
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.