Firewall/DMZ question

dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
Hey Everyone,

We currently have two Windows 2003 domain controllers. One of them also hosts a web application and ftp server and is available on the internet via NAT/port forwarding. I know this is not ideal from a security standpoint, but we're a small business with somewhat limited resources.

Anyway, I've been approved to purchase an Astaro Security Gateway 120 and another server, and I was wondering what your thoughts were on the correct way to set this up. The problem is that for various reasons, I need to make this a member server, not a stand-alone server. I also have several public IPs available if needed.

I'm essentially wondering: how do I configure this in a secure manner that does not isolate the server from Active Directory?

I'm curious to hear what your thoughts are. Thanks.

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    The Astaro Security Gateway 120 is a solid product, and it has 3 Eth ports so you could configure an Internal, Exernal and DMZ. Put the new server in the DMZ and place your web application and ftp server on it if possible. At least you will then have some semblence of security zones created. There is still the chance of compromise due to the necessary access between Internal and DMZ zones, but it will be less than what you currently have allowed in directly from the Internet.
    All things are possible, only believe.
  • JDMurrayJDMurray Admin Posts: 13,089 Admin
    sprkymrk wrote:
    The Astaro Security Gateway 120 is a solid product
    Mark, you've been listening to Leo Laporte's Security Now! podcasts, haven't you? ;)
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Alright, great. That's what I was planning on doing. I know it's not totally locked down, but if I only allow http and ftp from the outside and then only let the AD traffic reach the DCs, I feel that's more than secure enough for our needs. It's just nice to get a second opinion from someone more experienced. Thanks a lot.

    I actually learned of the the ASG products from the Security Now! podcast. I've been listening to 2-3 a day and I'm still 20 or so back :)
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    dynamik wrote:
    , but if I only allow http and ftp from the outside and then only let the AD traffic reach the DCs, I feel that's more than secure enough for our needs.

    Seriously, use IPSec to allow the AD traffic from your server in the DMZ to the DC. Otherwise you still need to open 1024-65535 just for RPC traffic. You could also create a limited RPC policy by editing the registry on your DC's, but still your best bet is IPSec.

    icon_arrow.gifActive Directory Replication over Firewalls
    All things are possible, only believe.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Great advice. Thanks a lot :D
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    sprkymrk wrote:
    dynamik wrote:
    , but if I only allow http and ftp from the outside and then only let the AD traffic reach the DCs, I feel that's more than secure enough for our needs.

    Seriously, use IPSec to allow the AD traffic from your server in the DMZ to the DC. Otherwise you still need to open 1024-65535 just for RPC traffic. You could also create a limited RPC policy by editing the registry on your DC's, but still your best bet is IPSec.

    icon_arrow.gifActive Directory Replication over Firewalls

    Right on.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    JDMurray wrote:
    sprkymrk wrote:
    The Astaro Security Gateway 120 is a solid product
    Mark, you've been listening to Leo Laporte's Security Now! podcasts, haven't you? ;)

    No, but now that I know where they are.... :)
    All things are possible, only believe.
Sign In or Register to comment.