Internet security
#1
Scooby Regular
Thread Starter
Join Date: Sep 1999
Location: Bedfordshire
Posts: 4,037
Likes: 0
Received 0 Likes
on
0 Posts
Ok guys,
being a bit of networking 'numptie' I need to acheive the following and need the best way of doing it. Currently we have a LAN box which is connected to a wireless router with broadband, its used for net access and a file and print server.
Now we have just got a nice new server from Dell which needs to sit on the LAN so we can access it primarily for SQL server but I dont want this machine visible at all to the outside world, just internally. All the workstations just get their IP dynamically. What do I need to do?
cheers guys
Gary
being a bit of networking 'numptie' I need to acheive the following and need the best way of doing it. Currently we have a LAN box which is connected to a wireless router with broadband, its used for net access and a file and print server.
Now we have just got a nice new server from Dell which needs to sit on the LAN so we can access it primarily for SQL server but I dont want this machine visible at all to the outside world, just internally. All the workstations just get their IP dynamically. What do I need to do?
cheers guys
Gary
#4
Its all gonna depend on how far you wanna go with the security.
I could give you a small list or a list that would fill a few pages of A4.
How secure does this server need to be?
Ifs its important, its best to get some pro's in.
I could give you a small list or a list that would fill a few pages of A4.
How secure does this server need to be?
Ifs its important, its best to get some pro's in.
#5
Scooby Regular
Thread Starter
Join Date: Sep 1999
Location: Bedfordshire
Posts: 4,037
Likes: 0
Received 0 Likes
on
0 Posts
guys,
it isnt actually on the network yet so doesnt have anything installed. It needs to be completely inaccesible from the outside world, just from the LAN.
cheers
Gary
it isnt actually on the network yet so doesnt have anything installed. It needs to be completely inaccesible from the outside world, just from the LAN.
cheers
Gary
#6
Gary
If you want your new SQL server completely inaccesible from the outside you will have to put it behind a firewall of some description. I am assuming the your existing workstations / servers are using private addresses and are being Port Address Translated or NAT'd at your ISP router ?
Cheers
Adam
If you want your new SQL server completely inaccesible from the outside you will have to put it behind a firewall of some description. I am assuming the your existing workstations / servers are using private addresses and are being Port Address Translated or NAT'd at your ISP router ?
Cheers
Adam
#7
Gary,
As far as making it completly inacessable from the outside there is only 1 way to do it, don't put it on the LAN. However this is not an option.
The reason i'm saying this is many companies belive approaches like security through obscurity will be safe. Its generally one of the biggest fall downs
There are different levels to your security. If your border security is breached and the server sits behind this, then thats gone too. As I said before, if the server is impartant, you can put extra layers of security in place again varying greatly from clear text u/n & p/ws to new techniques like 'inline'(invisible on the network) firewalls and IDS, Hardened routers and heavy encription.
As I don't know what you want and how much you have to spend, I'll just recomend the lower end. If there are no network/security mided people at your company, just buy a good router/switch with builtin IDS and NAT. Some of the good ones will have a reversed DMZ whereby you can put the server on a different subnet and harden the path to it.
If you do have someone who fancies a crack at sticking something better up, I would recomend getting a good router (you can now pick up Cisco 26** routers for around £150 - 200, 25** can be had for about £50 on ebay)
I would also recomend getting a spare machine, putting a base install of Linux on with IPTables and Snort. Also a switch to split up the LAN having the server on its own subnet.
Harden everything up. Dissalow EVERYTHING, and then start to plan the network security with the routes needed and script it all.
FirewallBuilder for Linux is excellent for someone whom is not familiar with scripting, but understands networks. There is much more you can do, but i'm guessing your not gonna persue this route, so i'll leave it there
Have fun!
Gedi
As far as making it completly inacessable from the outside there is only 1 way to do it, don't put it on the LAN. However this is not an option.
The reason i'm saying this is many companies belive approaches like security through obscurity will be safe. Its generally one of the biggest fall downs
There are different levels to your security. If your border security is breached and the server sits behind this, then thats gone too. As I said before, if the server is impartant, you can put extra layers of security in place again varying greatly from clear text u/n & p/ws to new techniques like 'inline'(invisible on the network) firewalls and IDS, Hardened routers and heavy encription.
As I don't know what you want and how much you have to spend, I'll just recomend the lower end. If there are no network/security mided people at your company, just buy a good router/switch with builtin IDS and NAT. Some of the good ones will have a reversed DMZ whereby you can put the server on a different subnet and harden the path to it.
If you do have someone who fancies a crack at sticking something better up, I would recomend getting a good router (you can now pick up Cisco 26** routers for around £150 - 200, 25** can be had for about £50 on ebay)
I would also recomend getting a spare machine, putting a base install of Linux on with IPTables and Snort. Also a switch to split up the LAN having the server on its own subnet.
Harden everything up. Dissalow EVERYTHING, and then start to plan the network security with the routes needed and script it all.
FirewallBuilder for Linux is excellent for someone whom is not familiar with scripting, but understands networks. There is much more you can do, but i'm guessing your not gonna persue this route, so i'll leave it there
Have fun!
Gedi
Trending Topics
#8
Scooby Regular
Thread Starter
Join Date: Sep 1999
Location: Bedfordshire
Posts: 4,037
Likes: 0
Received 0 Likes
on
0 Posts
gedi,
thx for all your advice, i was thinking along the lines of being able to block everything bar a couple of IPs and even then on specific ports. Im abit worried because even though I run sygate personal firewall and AVG (albeit free versions) I still somehow managed to get a variant of blaster/slammer not sure which, on my workstation! this cannot happen on this box.
I may look medium term to move to Linux which seems a good idea, I could port my SQL server to Interbase and my codebase could move as well the number of security patches M$ has released in recent months is frightening.
happy xmas
Gary
thx for all your advice, i was thinking along the lines of being able to block everything bar a couple of IPs and even then on specific ports. Im abit worried because even though I run sygate personal firewall and AVG (albeit free versions) I still somehow managed to get a variant of blaster/slammer not sure which, on my workstation! this cannot happen on this box.
I may look medium term to move to Linux which seems a good idea, I could port my SQL server to Interbase and my codebase could move as well the number of security patches M$ has released in recent months is frightening.
happy xmas
Gary
Thread
Thread Starter
Forum
Replies
Last Post
The Joshua Tree
Computer & Technology Related
30
28 September 2015 02:43 PM