?
Solved

Locking down Firewall in Cloud VM Environment

Posted on 2014-10-07
1
Medium Priority
?
510 Views
Last Modified: 2014-10-22
Hello,

We are building a network at rackspace with 2012 windows server.  this network will have a DC, SQL and application vms.  I am trying figure out the best way to lock these vms down for security.  Can someone point me in the right direction to accomplish the following:

1. DC - only need to have the private network to be able to have incoming connections to this server.
2. SLQ - same as DC

Each VM comes with an internal network virtual NIC (192.168.4.0) and an external that is public facing.  We need to lock down that public facing NIC.

is it as easy as using the built in policies?
0
Comment
Question by:posae
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40367674
the segregation via VLAN and subnetting is just splitting them to the typical 3-tier architecture which FW has to be guarding the authorised traffic to/fro in each tier enforcement. I suppose your "Locking down Firewall .." is referring to two aspects namely
a) Tier lockdown on FW enforcement policy btw the servers
b) Administrative lockdown of FW policy

I suggest the a/m have in reference to these practices as a start and further tighten based on the necessary port and appls transaction required btw tier. Also enforce least privileged based on role in administering the FW policy
http://www.rackspace.com/knowledge_center/article/windows-server-security-best-practices
For those servers that will be interacting with the public Internet with no firewall device (by default, the Rackspace Public Cloud Servers do not come with a firewall device), the Windows firewall is the only protection that you have between your server resources and your private data and anybody with access to an Internet connection. Disabling as many rules as possible means opening the fewest ports that are listening over the public interface, which means the least amount of exposure to anyone trying to gain access to your server.

For those ports that must be opened, you should limit access to the server by whitelisting IP addresses in those specific rules. It's common for users to have accounts through their ISPs with dynamic public IP addresses that change over time.

By limiting access to the server via IP address whitelisting, you can ensure that those who need access to the server have it, and those who don't will be blocked from those open ports.

In addition to being aware of how much these servers are exposed to the Internet through open firewall ports, you should consider what data is available to others via file sharing. We do not recommend enabling Windows file sharing because the ports that are opened on the firewall expose the server to unwanted attempts to connect to the server over ports 445 and 139.
Overall, the Windows firewall is just as fine for most applications. As with running any server, start out with a default deny policy and open up only the ports that you need. More importantly, is ensure your application software is secure..

Separately, there are other "agent" based solution to further lockdown administrative port access and is as of on-demand basis, such as Dome9 in this stated http://www.dome9.com/blog/rackspace-cloud-server-security-tip-1
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month13 days, 17 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question