|
Posted by Ansgar -59cobalt- Wiechers on June 8, 2007, 7:58 am
If you were Registered and logged in, you could reply and use other advanced thread options >>> we have a server in a hosting centre where we are developing a portal.
>>
>> Operating System? Do you have a network segment of your own or just that
>> one server?
>>
>>> In the current setup we are using Remote desktop/VNC to access the
>>> server to work on it.
>>
>> RDP or VNC? Having both is pointless.
>>
>>> Furthermore we are using FTP to upload new releases on the server.
>>
>> Do you need anonymous FTP? If not: SSH or WebDAV are a lot less painful
>> when it comes to traversing firewalls.
>>
>>> This portal is a place where people can create their profile and
>>> connect to other people with similar interests. all mails sent are
>>> outgoing and we don't receive emails on this server.
>>
>> Which services do you want that server to provide? Who will access them?
>> From where?
>>
>>> Now the question is when we go live we want to have a firewall setup.
>>
>> What kind of firewall setup? Host-based? Separate device on the boundary
>> of your network segment? Who will be maintaining the firewall? From
>> where?
>>
>>> Which ports should be open (obviously port 80) to still be able to
>>> access the server with remote desktop/VNC and ftp?
>>
>> Why is port 80 obvious? The default ports for RDP and VNC are 3389/tcp
>> and 5901/tcp respectively. As for FTP: it depends on whether you use
>> active or passive mode. And as said before: you may want to use
>> something less painful instead.
>>
>>> what about all the outgoing traffic from the server (what about DNS)
>>> do we need to open any ports for that.
>>
>> Why would you want to filter outgoing traffic in the first place? What
>> threats do you see that would require this?
>>
>> Please provide more information.
>
> Hi, the Os is Win server 2003, database is SQLserver2005 -
Do you need the database to be accessible from the outside?
> We are using VNC cause we only 2 concurrent users for RDP.
Two concurrent users is sufficient for the administration of the server.
Why do you need more?
> What do you mean when you ask if we need anonymous FTP?
Do you need anyone to be able to access the FTP server or just selected
users. In case of the latter I'd suggest to switch to SSH or WebDAV.
> can you suggest any SSH or WebDAV solutions - what's the pros and
> cons?
IIS supports WebDAV, for SSH I'd suggest Cygwin's OpenSSH daemon. SSH is
encrypted by default, for encrypted WebDAV you need SSL.
> The services we provide are for all users on the www - we don't
> restrict anyone. you can compare our service with myspace (minus all
> the multimedia) I am not sure what sort of firewall setup we need as
> long as its good and it protects our server. We only have the server,
> there is not any network attached to it.
In that case enabling the Windows Firewall on your server should
suffice. Enable (only!) the exceptions you need for inbound traffic
(e.g. the ports for HTTP(s), RDP, SSH, ...). For ICMP allow inbound echo
request and outbound destination unreachable, source quench, parameter
problem and time exceeded.
> What do you mean with active or passive mode for ftp?
FTP knows two modes: active and passive, which differ in how the data
channel is established. Use your preferred search engine for details.
> we don't have any wish to scan or filter outgoing services, I was just
> in doubt about whether we needed to open the DNS port!
Unless you want to run a DNS server you don't.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
| 
XML site map