A few questions re:ipsec
Thread Starter
Scooby Regular
Joined: May 2002
Posts: 1,893
Likes: 0
A few questions re:ipsec
Hi guys n gals.
Just looking to secure a internet server and have done most stuff, but i want to be able to remote admin it, but securely.
So what are my options ?
1. Use Remote Assistance/etc. Is it secure ?
2. Use openSSh, handy for command line stuff
and 2 questions that im really interested in .Does IPSEC effectively do what the encrypt side of ssh does? If not what does it do?
Also securing the machine. Its a w2k machine and I don't know any free firewalls that are useful so someone mentioned RRAS as an elementary way of doing it. What does it do and what does itinvolve ?
Just looking to secure a internet server and have done most stuff, but i want to be able to remote admin it, but securely.
So what are my options ?
1. Use Remote Assistance/etc. Is it secure ?
2. Use openSSh, handy for command line stuff
and 2 questions that im really interested in .Does IPSEC effectively do what the encrypt side of ssh does? If not what does it do?
Also securing the machine. Its a w2k machine and I don't know any free firewalls that are useful so someone mentioned RRAS as an elementary way of doing it. What does it do and what does itinvolve ?
Scooby Regular
Joined: Feb 2004
Posts: 3,763
Likes: 0
From: High Wycombe
If you really MUST have a win2k box facing the WWW i've created a good (ish) - IPSEC configuration.
It blocks pretty much all incomming except for www and Terminal services client.
you can quikly switch on and off FTP access too (to allow passive connections from behind other firewalls)
Stick up your e-mail and i'll send you the file.
For a small fee I could toughen up other security aspects of your server for ya.
Given that I really DO NOT recommend having a commercial windows based webserver directly connected to the big bad www. As a minimum www traffic should be routed through a non-windows firewall.
It blocks pretty much all incomming except for www and Terminal services client.
you can quikly switch on and off FTP access too (to allow passive connections from behind other firewalls)
Stick up your e-mail and i'll send you the file.
For a small fee I could toughen up other security aspects of your server for ya.
Given that I really DO NOT recommend having a commercial windows based webserver directly connected to the big bad www. As a minimum www traffic should be routed through a non-windows firewall.
Thread Starter
Scooby Regular
Joined: May 2002
Posts: 1,893
Likes: 0
Originally Posted by BlkKnight
If you really MUST have a win2k box facing the WWW i've created a good (ish) - IPSEC configuration.
It blocks pretty much all incomming except for www and Terminal services client.
you can quikly switch on and off FTP access too (to allow passive connections from behind other firewalls)
Stick up your e-mail and i'll send you the file.
For a small fee I could toughen up other security aspects of your server for ya.
Given that I really DO NOT recommend having a commercial windows based webserver directly connected to the big bad www. As a minimum www traffic should be routed through a non-windows firewall.
It blocks pretty much all incomming except for www and Terminal services client.
you can quikly switch on and off FTP access too (to allow passive connections from behind other firewalls)
Stick up your e-mail and i'll send you the file.
For a small fee I could toughen up other security aspects of your server for ya.
Given that I really DO NOT recommend having a commercial windows based webserver directly connected to the big bad www. As a minimum www traffic should be routed through a non-windows firewall.
My email is stuart@novellguy.co.uk.
Ok explanation time. Basically, as puff knows im setting up a totally new internet concept. I want to keep costs down so I know Windows administration quite well, admin a 100 user site day to day. So I realise Unix/Linux would be a lot better but I can secure a W2K a lot more easily thank a linux machine because I dont know linux. Also the firewall is an issue because its sitting in a certain texas DC in a rack. I can only really afford the one machine at present.
I may take up the offer of the tightening but it is pretty secure but a bit of peer review never hurt anyone
Ill see how things go
Scooby Regular
Joined: Feb 2004
Posts: 3,763
Likes: 0
From: High Wycombe
sent - as i said in the e-mail make sure you have physical access to the box before running it. Ideally run it on a test box you can scrap if needbe
It's configured to allow incomming "terminal services client". VNC and other stuff like PC anwahere will not work.
It's configured to allow incomming "terminal services client". VNC and other stuff like PC anwahere will not work.
Thread
Thread Starter
Forum
Replies
Last Post