Firewall/DMZ question

dynamik

Hey Everyone,

We currently have two Windows 2003 domain controllers. One of them also hosts a web application and ftp server and is available on the internet via NAT/port forwarding. I know this is not ideal from a security standpoint, but we're a small business with somewhat limited resources.

Anyway, I've been approved to purchase an Astaro Security Gateway 120 and another server, and I was wondering what your thoughts were on the correct way to set this up. The problem is that for various reasons, I need to make this a member server, not a stand-alone server. I also have several public IPs available if needed.

I'm essentially wondering: how do I configure this in a secure manner that does not isolate the server from Active Directory?

I'm curious to hear what your thoughts are. Thanks.

sprkymrk

The Astaro Security Gateway 120 is a solid product, and it has 3 Eth ports so you could configure an Internal, Exernal and DMZ. Put the new server in the DMZ and place your web application and ftp server on it if possible. At least you will then have some semblence of security zones created. There is still the chance of compromise due to the necessary access between Internal and DMZ zones, but it will be less than what you currently have allowed in directly from the Internet.

JDMurray

sprkymrk wrote:

The Astaro Security Gateway 120 is a solid product

Mark, you've been listening to Leo Laporte's Security Now! podcasts, haven't you?

dynamik

Alright, great. That's what I was planning on doing. I know it's not totally locked down, but if I only allow http and ftp from the outside and then only let the AD traffic reach the DCs, I feel that's more than secure enough for our needs. It's just nice to get a second opinion from someone more experienced. Thanks a lot.

I actually learned of the the ASG products from the Security Now! podcast. I've been listening to 2-3 a day and I'm still 20 or so back

sprkymrk

dynamik wrote:

, but if I only allow http and ftp from the outside and then only let the AD traffic reach the DCs, I feel that's more than secure enough for our needs.

Seriously, use IPSec to allow the AD traffic from your server in the DMZ to the DC. Otherwise you still need to open 1024-65535 just for RPC traffic. You could also create a limited RPC policy by editing the registry on your DC's, but still your best bet is IPSec.

Active Directory Replication over Firewalls

dynamik

Great advice. Thanks a lot

keatron

sprkymrk wrote:

dynamik wrote:

, but if I only allow http and ftp from the outside and then only let the AD traffic reach the DCs, I feel that's more than secure enough for our needs.

Seriously, use IPSec to allow the AD traffic from your server in the DMZ to the DC. Otherwise you still need to open 1024-65535 just for RPC traffic. You could also create a limited RPC policy by editing the registry on your DC's, but still your best bet is IPSec.

Active Directory Replication over Firewalls

Right on.

sprkymrk

JDMurray wrote:

sprkymrk wrote:

The Astaro Security Gateway 120 is a solid product

Mark, you've been listening to Leo Laporte's Security Now! podcasts, haven't you?

No, but now that I know where they are....