how to deal with this

rasczak · Feb 19, 2011

customer has one server, one license, and an application that remote users wil T/S into server to access. The problem I am having is that customer also want this server to be a domain controller. Normally not an issue, but this will machine will be connected to the internet. So as most of you know, this is pretty much a security no-no. Here's the setup:

internet <-> router <-> application server/eventual DC

the router has 3389 forwarded to the application server so that remote users can T/S into the system. Not ideal, but this is how things were configured before, and I'm not that fluent in remote access just yet.

thoughts? please be as brutal as possible.

Thanks.

lxskllr · Feb 19, 2011

Would their application work on Linux? You could virtualize a Linux server with the application, and keep Windows covered.

Edit:
nvm. I didn't really think that through :^/

I'll leave it up for taunts and jeers though :^D

Nothinman · Feb 20, 2011

Pretty much every SBS server out there is setup similarly. As long as you're confident in the security of the server you should be fine. The router will also factor into this too, if it's some cheesy SOHO router it could be more of a security risk than the server.

rasczak · Feb 20, 2011

Nothinman said:
Pretty much every SBS server out there is setup similarly. As long as you're confident in the security of the server you should be fine. The router will also factor into this too, if it's some cheesy SOHO router it could be more of a security risk than the server.

Yea, that's just it. It's your typical linksys 8 port router.

Phynaz · Feb 20, 2011

A business with nothing but a home router between them and the Internet? Wouldn't touch it in a million years.

Numenorean · Feb 20, 2011

They need a real router and then it shouldn't be any problem to have a T/S setup on a DC. Real router, and keep windows patched and most likely you will be just fine.

Nothinman · Feb 20, 2011

Numenorean said:
They need a real router and then it shouldn't be any problem to have a T/S setup on a DC. Real router, and keep windows patched and most likely you will be just fine.

Sadly most places aren't willing to shell out for something like an ASA.

Jeff7181 · Feb 20, 2011

Nothinman said:
Sadly most places aren't willing to shell out for something like an ASA.

There are plenty of routers in between a $40 Linksys and an ASA. A Cisco 1800 series for example.

Explain to the customer that putting a domain controller on the Internet is a terrible idea, and it will cost money to do it right. If they insist on doing it cheaply, get them to sign a waiver releasing you of all responsibility, set it up for them and be on your way to new customers. If they won't sign it, be on your way. Maybe that'll make them think twice about how ridiculous what they're asking you to do is.

Nothinman · Feb 20, 2011

Jeff7181 said:
There are plenty of routers in between a $40 Linksys and an ASA. A Cisco 1800 series for example.

Explain to the customer that putting a domain controller on the Internet is a terrible idea, and it will cost money to do it right. If they insist on doing it cheaply, get them to sign a waiver releasing you of all responsibility, set it up for them and be on your way to new customers. If they won't sign it, be on your way. Maybe that'll make them think twice about how ridiculous what they're asking you to do is.

But an 1800 series router isn't a firewall, it's a router.

rasczak · Feb 21, 2011

Phynaz said:
A business with nothing but a home router between them and the Internet? Wouldn't touch it in a million years.

To be fair, it's a very small business, and he understands he is far behind the times tech wise. I agree with the sentiment that the DC should be behind a firewall so I will push for the client to get a firewall. Any suggestions? He's reasonable so I am sure I can get it through to him if i have some reasonable options to choose from.

I have some experience setting up a juniper appliance

http://www.juniper.net/in/en/products-services/security/ssg-series/ssg5/

are there any other suggestion you guys could make?

Jeff7181 · Feb 27, 2011

If cost is a concern, and it appears to be, I'd forget about the firewall and get a real router like the 1800 I suggested. A properly configured 1800 ISA router is going to be much more secure than a Linksys, and not as expensive as a dedicated firewall.

If you're still concerned about security, just have the 1800 log info about every connection that enters the LAN so you can review the logs and even set up a script to search for specific entries that would indicate a security risk and fire off an email to who ever needs to know.

*EDIT* Oh, and despite the comment before that the 1800 is a router and not a firewall, it's true that it's not a dedicated firewall. However, the security features available in IOS are more than adequate for a small business that's currently using a Linksys router.

Nothinman · Feb 27, 2011

Jeff7181 said:
If cost is a concern, and it appears to be, I'd forget about the firewall and get a real router like the 1800 I suggested. A properly configured 1800 ISA router is going to be much more secure than a Linksys, and not as expensive as a dedicated firewall.

If you're still concerned about security, just have the 1800 log info about every connection that enters the LAN so you can review the logs and even set up a script to search for specific entries that would indicate a security risk and fire off an email to who ever needs to know.

*EDIT* Oh, and despite the comment before that the 1800 is a router and not a firewall, it's true that it's not a dedicated firewall. However, the security features available in IOS are more than adequate for a small business that's currently using a Linksys router.

Actually I'm not sure about that, I know the "firewall feature set" or whatever they're calling it now allows for somewhat similar functionality but Cisco routers are allow by default, which is bad and makes it very easy to unintentionally open something up.

Jeff7181 · Feb 27, 2011

Nothinman said:
Actually I'm not sure about that, I know the "firewall feature set" or whatever they're calling it now allows for somewhat similar functionality but Cisco routers are allow by default, which is bad and makes it very easy to unintentionally open something up.

Whether it's an ASA device or an ISA router, some IOS knowledge is required to configure.

Nothinman · Feb 27, 2011

Jeff7181 said:
Whether it's an ASA device or an ISA router, some IOS knowledge is required to configure.

Yes, but allow by default makes it easier to err on the wrong side. And there is ASDM for ASAs, but I haven't touched that forever.

Search

how to deal with this

rasczak

Lifer

lxskllr

No Lifer

Nothinman

Elite Member

rasczak

Lifer

Phynaz

Lifer

Numenorean

Diamond Member

Nothinman

Elite Member

Jeff7181

Lifer

Nothinman

Elite Member

rasczak

Lifer

Jeff7181

Lifer

Nothinman

Elite Member

Jeff7181

Lifer

Nothinman

Elite Member

TRENDING THREADS