firewall settings

we have a server in a hosting centre where we are developing a portal. In
the current setup we are using Remote desktop/VNC to access the server to
work on it. Furthermore we are using FTP to upload new releases on the
server.
This portal is a place where people can create their profile and connect to
other people with similar interests. all mails sent are outgoing and we
don't receive emails on this server.

Now the question is when we go live we want to have a firewall setup. Which
ports should be open (obviously port 80) to still be able to access the
server with remote desktop/VNC and ftp? what about all the outgoing traffic
from the server (what about DNS) do we need to open any ports for that.

Bobby

Re: firewall settings

> Now the question is when we go live we want to have a firewall setup. Which
> ports should be open (obviously port 80) to still be able to access the
> server with remote desktop/VNC and ftp? what about all the outgoing traffic
> from the server (what about DNS) do we need to open any ports for that.

Your questions suggest, you seek someone who can answer the questions
and pay him. Make sure he is around, when he can't fulfill his promises.

Cheers,
Jens

Re: firewall settings

Bobby wrote:
> we have a server in a hosting centre where we are developing a portal.

Operating System? Do you have a network segment of your own or just that
one server?

> In the current setup we are using Remote desktop/VNC to access the
> server to work on it.

RDP or VNC? Having both is pointless.

> Furthermore we are using FTP to upload new releases on the server.

Do you need anonymous FTP? If not: SSH or WebDAV are a lot less painful
when it comes to traversing firewalls.

> This portal is a place where people can create their profile and
> connect to other people with similar interests. all mails sent are
> outgoing and we don't receive emails on this server.

Which services do you want that server to provide? Who will access them?
From where?

> Now the question is when we go live we want to have a firewall setup.

What kind of firewall setup? Host-based? Separate device on the boundary
of your network segment? Who will be maintaining the firewall? From
where?

> Which ports should be open (obviously port 80) to still be able to
> access the server with remote desktop/VNC and ftp?

Why is port 80 obvious? The default ports for RDP and VNC are 3389/tcp
and 5901/tcp respectively. As for FTP: it depends on whether you use
active or passive mode. And as said before: you may want to use
something less painful instead.

> what about all the outgoing traffic from the server (what about DNS)
> do we need to open any ports for that.

Why would you want to filter outgoing traffic in the first place? What
threats do you see that would require this?

Please provide more information.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: firewall settings

On Jun 7, 9:17 am, "Bobby" wrote:
> we have a server in a hosting centre where we are developing a portal. In
> the current setup we are using Remote desktop/VNC to access the server to
> work on it. Furthermore we are using FTP to upload new releases on the
> server.
> This portal is a place where people can create their profile and connect to
> other people with similar interests. all mails sent are outgoing and we
> don't receive emails on this server.
>
> Now the question is when we go live we want to have a firewall setup. Which
> ports should be open (obviously port 80) to still be able to access the
> server with remote desktop/VNC and ftp? what about all the outgoing traffic
> from the server (what about DNS) do we need to open any ports for that.
>
> Bobby

In my opinion, a firewall is a necessity when working with an 'open'
portal. A firewall can deny access to anyone who doesn't meet a
certain criteria.

I've been in windows environment, where everything, EVERYTHING went
thru port 80 and that was the only port open. We used ISA Server to
publish services thru the web browser, which may be how sharepoint
works, that I'm not sure about. In that scenario, the firewall
forwards ONLY port 80 requests. And based on the services it is using,
a rule is handling what it does and where it goes. Ideally a hardware
firewall at the perimeter is set to listen for services asking to be
forwarded to your portal. They are then passed along to the ISA
Server, which takes over from there and points each connection to the
(hopefully) correct server.

This wasn't out of a book, it was from memory, which may be full of
holes, left and right.... Which one, my memory or my statement?

Yep....

RedForeman

Re: firewall settings

"Ansgar -59cobalt- Wiechers" wrote in message
news:5cqijcF31s7fqU1@mid.individual.net...
> Bobby wrote:
>> we have a server in a hosting centre where we are developing a portal.
>
> Operating System? Do you have a network segment of your own or just that
> one server?
>
>> In the current setup we are using Remote desktop/VNC to access the
>> server to work on it.
>
> RDP or VNC? Having both is pointless.
>
>> Furthermore we are using FTP to upload new releases on the server.
>
> Do you need anonymous FTP? If not: SSH or WebDAV are a lot less painful
> when it comes to traversing firewalls.
>
>> This portal is a place where people can create their profile and
>> connect to other people with similar interests. all mails sent are
>> outgoing and we don't receive emails on this server.
>
> Which services do you want that server to provide? Who will access them?
> From where?
>
>> Now the question is when we go live we want to have a firewall setup.
>
> What kind of firewall setup? Host-based? Separate device on the boundary
> of your network segment? Who will be maintaining the firewall? From
> where?
>
>> Which ports should be open (obviously port 80) to still be able to
>> access the server with remote desktop/VNC and ftp?
>
> Why is port 80 obvious? The default ports for RDP and VNC are 3389/tcp
> and 5901/tcp respectively. As for FTP: it depends on whether you use
> active or passive mode. And as said before: you may want to use
> something less painful instead.
>
>> what about all the outgoing traffic from the server (what about DNS)
>> do we need to open any ports for that.
>
> Why would you want to filter outgoing traffic in the first place? What
> threats do you see that would require this?
>
> Please provide more information.
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich

Hi, the Os is Win server 2003, database is SQLserver2005 - We are using VNC
cause we only 2 concurrent users for RDP.
What do you mean when you ask if we need anonymous FTP? can you suggest any
SSH or WebDAV solutions - what's the pros and cons?
The services we provide are for all users on the www - we don't restrict
anyone. you can compare our service with myspace (minus all the multimedia)
I am not sure what sort of firewall setup we need as long as its good and it
protects our server. We only have the server, there is not any network
attached to it.
What do you mean with active or passive mode for ftp?

we don't have any wish to scan or filter outgoing services, I was just in
doubt about whether we needed to open the DNS port!

when users interact they receive an email sent from the server. we don't
have any incoming emails to the server. I hope this provides you with better
information in order to give me better feedback.

thanks a lot.

regards

Bobby

Re: firewall settings

Bobby wrote:
> "Ansgar -59cobalt- Wiechers" wrote:
>> Bobby wrote:
>>> we have a server in a hosting centre where we are developing a portal.
>>
>> Operating System? Do you have a network segment of your own or just that
>> one server?
>>
>>> In the current setup we are using Remote desktop/VNC to access the
>>> server to work on it.
>>
>> RDP or VNC? Having both is pointless.
>>
>>> Furthermore we are using FTP to upload new releases on the server.
>>
>> Do you need anonymous FTP? If not: SSH or WebDAV are a lot less painful
>> when it comes to traversing firewalls.
>>
>>> This portal is a place where people can create their profile and
>>> connect to other people with similar interests. all mails sent are
>>> outgoing and we don't receive emails on this server.
>>
>> Which services do you want that server to provide? Who will access them?
>> From where?
>>
>>> Now the question is when we go live we want to have a firewall setup.
>>
>> What kind of firewall setup? Host-based? Separate device on the boundary
>> of your network segment? Who will be maintaining the firewall? From
>> where?
>>
>>> Which ports should be open (obviously port 80) to still be able to
>>> access the server with remote desktop/VNC and ftp?
>>
>> Why is port 80 obvious? The default ports for RDP and VNC are 3389/tcp
>> and 5901/tcp respectively. As for FTP: it depends on whether you use
>> active or passive mode. And as said before: you may want to use
>> something less painful instead.
>>
>>> what about all the outgoing traffic from the server (what about DNS)
>>> do we need to open any ports for that.
>>
>> Why would you want to filter outgoing traffic in the first place? What
>> threats do you see that would require this?
>>
>> Please provide more information.
>
> Hi, the Os is Win server 2003, database is SQLserver2005 -

Do you need the database to be accessible from the outside?

> We are using VNC cause we only 2 concurrent users for RDP.

Two concurrent users is sufficient for the administration of the server.
Why do you need more?

> What do you mean when you ask if we need anonymous FTP?

Do you need anyone to be able to access the FTP server or just selected
users. In case of the latter I'd suggest to switch to SSH or WebDAV.

> can you suggest any SSH or WebDAV solutions - what's the pros and
> cons?

IIS supports WebDAV, for SSH I'd suggest Cygwin's OpenSSH daemon. SSH is
encrypted by default, for encrypted WebDAV you need SSL.

> The services we provide are for all users on the www - we don't
> restrict anyone. you can compare our service with myspace (minus all
> the multimedia) I am not sure what sort of firewall setup we need as
> long as its good and it protects our server. We only have the server,
> there is not any network attached to it.

In that case enabling the Windows Firewall on your server should
suffice. Enable (only!) the exceptions you need for inbound traffic
(e.g. the ports for HTTP(s), RDP, SSH, ...). For ICMP allow inbound echo
request and outbound destination unreachable, source quench, parameter
problem and time exceeded.

> What do you mean with active or passive mode for ftp?

FTP knows two modes: active and passive, which differ in how the data
channel is established. Use your preferred search engine for details.

> we don't have any wish to scan or filter outgoing services, I was just
> in doubt about whether we needed to open the DNS port!

Unless you want to run a DNS server you don't.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich