 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Small Business Server / SBS 2000 / July 2003how secure is my ip setup for internet connection
currently I have the following setup in place: sbserver with 1 internal nic and 1 external nic. netgear dg814 ADSL router connected to server only via external nic. internal ip range: 192.168.16.xx server: 192.168.16.2 external nic: static internet ip xxx.xxx.xxx.70(assigned by isp) router: static internet ip xxx.xxx.xxx.69(assigned by isp) Under the internet connection wizard I have allowed isa packet filtering allowing access to: mail server web server web based mail server pop3 ftp SB server box is only server in office and is the file and mail server and therefore contains all critical information for business. everything is working well including internet sharing via proxy server and outlook web access, but I am concerned that the server is open to internet security threats. I have only the standard ISA filters inplace that the internet connection wizard sets up by default. Any advice as to the security of this setup would be greatly apreciated. Thank you I'm pretty sure others will jump in quickly here, but you have some serious security issues here, because: 1. You are running a web server, eg you have port 80 wide open, hope you are fully patched etc. 2. You are also running an FTP server, this has some very serious implications, I would think it won't be too long before you see some idiot dumping files (probably porn) onto your server. I STRONGLY suggest you re-run the ICW and close the web server, FTP, and Web based mail server down, unless you really need them. IMHO I would think most people on this newsgroup would say don't host a web server on an SBS box, even though you can. Keith >-----Original Message----- >currently I have the following setup in place: [quoted text clipped - 33 lines] > >. Thanks for the advice I have re-reun ICW and closed FTP but I would like to retain Outlook Web Access over the internet. So I was wondering what I need to leave open to allow this and whether this can be done securely. Thank you very much for your assistance. Jamie >-----Original Message----- >I'm pretty sure others will jump in quickly here, but you [quoted text clipped - 57 lines] >> >. Hi Jamie, You're kind of *wasting* the public IP on your external nic. It will work OK, but you could use a private (non-routeable) ip address instead. Additionally, if you set up OWA via SSL, or enable your SBS for VPN connections you will be able to close port 80. Configuring VPN is not a bad option at this point, as you'll be able to access pretty well whatever you want on the lan through the vpn tunnel. One of the drawbacks to VPN is that the client computer must be trusted. Information on these configurations (and much more) can be found at http://www.smallbizserver.net -- Les Connor ------------------ [SBS MVP] > Thanks for the advice I have re-reun ICW and closed FTP > but I would like to retain Outlook Web Access over the [quoted text clipped - 69 lines] > >> > >. I agree with Keith... You can run OWA using VPN (best way) or using SSL (not as secure... but better than IIS in port 80). For OWA tru SSL read Chad's excellent tutorial at: http://www.smallbizserver.net/sbs2000/How_do_I_configure_OWA_with_SSL.aspx For VPN access you can read: http://www.smallbizserver.net/sbs2000/How_do_I_connect_clients_to_the_server_usi ng_VPN.aspx By the way... you should close all those packet filters that you left (unless you are really using them). And remember that since you have another firewall in front of ISA... you need to configure this one as well when you are opening/closing ports. My $0.02, Javier > Thanks for the advice I have re-reun ICW and closed FTP > but I would like to retain Outlook Web Access over the [quoted text clipped - 69 lines] > >> > >. Actually, a good case has been made for OWA over SSL, versus <everything> over VPN. When you expose OWA over SSL, then only OWA is exposed. When you allow VPN connections, by default you put the client on the lan and if the client box is infected then that could spell disaster. -- Les Connor ------------------ [SBS MVP] > I agree with Keith... > [quoted text clipped - 5 lines] > > For VPN access you can read: http://www.smallbizserver.net/sbs2000/How_do_I_connect_clients_to_the_server _using_VPN.aspx > By the way... you should close all those packet filters that you left > (unless you are really using them). And remember that since you have another [quoted text clipped - 78 lines] > > >> > > >. Les, Was that discussion on the SBS2003 NG? I'm asking because if there's another one (apart from that)... I would like to see it. Do you have a link for other similar discussions? My concern is something like a worm attacking IIS on port 80/443... were you can have a vulnerability that allows elevation of privileges vs. the same thing happening on a VPN port. What are your thoughts on this? I mean... one usually use a VPN link between a "trusted/safe" computer (such as a home computer) and the server. Thanks, Javier > Actually, a good case has been made for OWA over SSL, versus <everything> > over VPN. [quoted text clipped - 14 lines] > > > > For OWA tru SSL read Chad's excellent tutorial at: http://www.smallbizserver.net/sbs2000/How_do_I_configure_OWA_with_SSL.aspx > > For VPN access you can read: http://www.smallbizserver.net/sbs2000/How_do_I_connect_clients_to_the_server > _using_VPN.aspx > > [quoted text clipped - 82 lines] > > > >> > > > >. Javier, That discussion is the one that caught my attention. VPN from trusted client computers is fine. The problems are: a) how do we *know* we can trust the client computer? A mistake here could spell disaster. Client computers on the lan are not difficult to keep an eye on, but once they're remote then our level of trust obviously has to go down. Sure, the owner *says* he's got A/V software, and it's up to date, yada yada yada. But how does one know. And, conditions could change at any time. b) one of the most desirable features is the ability to access your exchange from any computer, trusted or not. Kiosk for example. Your sisters' computer (while you visit her in another city/country etc.) is another example. You may not have permission to create a VPN connection, and even if you did, you may not want to. The way OWA/SSL is implemented in SBS2k3 looks like a really good solution. So easy to configure and use. Public vs. Trusted modes. Access to *only* OWA. If you travel with your laptop, it's yours to keep secure. I don't see a problem with VPN here - hey we know where the blame lies if there ever is a problem. With SBS2k3 there is just so much more that can be done, easily - and securely. <a lot of this can be done in SBS2k as well, but requires substantial manual configuration>. VPN is an option for trusted computers, and a good one. But it's not a requirement, and isn't really an option for public or untrusted computers - and so far I think OWA/SSL is. I'm also putting a good measure of faith in recent MS initiatives, and more importantly the SBS development team. Their initiatives are not small in this area. -- Les Connor ------------------ [SBS MVP] > Les, > [quoted text clipped - 36 lines] > > > > > > For VPN access you can read: http://www.smallbizserver.net/sbs2000/How_do_I_connect_clients_to_the_server > > _using_VPN.aspx > > > [quoted text clipped - 82 lines] > > > > >> > > > > >. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.