Hi,
I am in process of building 2 servers that will be hosted in a datacentre. The first one will be a IIS6 web server and the second SQL Server which I need to access via remote control/MMC console from the internet. Could someone suggest a good firewall or the configuration methodology.
Thanks
Med
Please don't implement such systems without a security concept. If you feel unsure about how to design one, please consider ordering from a security consulting company.
Yours, VB.
Only expose the web server via HTTP or HTTPS, when you want to manage the servers, VPN into the firewall appliance and then set rules to allow your VPN connection to access the servers as though you were on the LAN with them.
Any major vendors firewall will provide what you need, but I like WatchGuard, starting at the X700 series and above.
Hi,
Thanks for the advise. Following the link
Regards
Med
You should actually look at the WatchGuard site - is there a reason you didn't look there?
Limited to 100 VPN tunnels without upgrade.
We've got over 200 users in a medical center, 8 dedicated IPSec VPN tunnels to other offices, and a mail server in the DMZ, and the firewall is never the limiting factor in that solution.
I've got a bunch of these all over the US and several other countries, they seem to run/last forever and we've not had one cracked yet.
The Juniper Netscreen family is what I recommend.
Before you expose your servers to the Internet, even behind a firewall, find, and read, as much material on hardening Windows servers as you can. You can make a Windows server just as secure as any other box, but you have to work harder at it because of the default configuration chosen by Microsoft.
Not really work harder, work smarter. The Windows Server 2003 Security Guide has a template called "Bastion Host.inf" One simple operation applies it and you're pretty secure.
"The "High" security settings in Microsoft's "Windows Server 2003 Security Guide" track closely with the security level historically represented in the NSA guidelines"
See
Wayne McGlinn Brisbane, Oz
If you just want to mask the ports, most any firewall will do. Pick up a used NetScreen somewhere for peanuts without support and you'll be all set.
If you want to protect the IIS6 and SQL servers from in-band attacks and compromises, get a UTM type firewall with an IPS system like a Fortigate. There are no user limits or other counts and session tables are very large, so just size it for your bandwidth. Perhaps set up an HA pair if you want redundancy.
-Russ.
If you only have 2 servers and need an all-in-one firewall and VPN solution, you should take a look at the Check Point Safe@Office. You only need the 5 node one (since 2 servers = 2 nodes unless you have more than one LAN IP for each) so the price is pretty low. Remote access client is free. And I am sure the technical support will gladly provide you with whatever guidance you need in order to set up the correct firewall policy.
Yes, you're right, he can apply that template. I'm the untrusting type who prefers to do it myself so that I know exactly what I'm getting.
Hi Guys,
Thank you all for the advises. I will do some research on them.
Med
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.