Re: Stand Alone DHCP Servers and Windows 2000
- From: "Will" <westes-usc@xxxxxxxxxxxxxx>
- Date: Wed, 24 May 2006 21:57:17 -0700
You make fair points, but I stand by the statement that a firewall limits
the scope of things a virus can attack. For the case where you separate a
client network from domain controllers by an ISA Server 2004 firewall, here
are some examples:
1) If someone accidentally left a web server running on a domain controller,
that is a major security disaster waiting to happen. With a firewall
separating the clients from the domain controllers, the clients cannot
exploit an administrator's sloppiness in leaving the service running there.
2) If you want to restrict a test lab from having any access to your
production domain controllers at all, the firewall gives you the flexibility
to carve out whole networks that cannot reach the domain controller on any
port. It's much harder to do that robustly on a purely routed network.
Since those low security environments like labs are precisely the place that
viruses can most easily grab hold of machines, it's nice to be able to carve
out exceptions.
3) You can restrict the flow of information out from the domain controller
network. So if a trojan does get planted there, it cannot do anything
useful to connect back out of the network.
4) You can enforce restrictions against the old style NetBIOS calls (137) by
forbidding access on those ports at all. That basically wipes out all of
the kiddy hackers, who rely widely on the complete insecurity of those
protocols.
Microsoft has published documents on which ports to expose between clients
and domain controllers. The only port that ever has caused us grief is
RPC, and that is solved by ISA Server 2004. Where it gets very very
challenging is if you want to dig down within RPC and restrict access to
only specific RPC services. We have done even that in a test environment
(even though everyone assured us it was impossible to do), but Microsoft's
organization and documentation of their own software's RPC usage is just
awful. You don't get a 100% reliable result when you restrict access
within RPC. But if you are willing to live with all RPC requests getting
through to your domain controller, it's possible to make a firewall work
extremely robustly and in a way that is transparent to the end user.
--
Will
"Phillip Windell" <@.> wrote in message
news:eSn3HO0fGHA.4864@xxxxxxxxxxxxxxxxxxxxxxx
"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in messagesame
news:zeydnQ90g73YH_fZRVn-rg@xxxxxxxxxxxxxxx
I did not say firewalls stop viruses. I said a firewall *limits thescope
of things a virus can attack*. All the firewall does is narrow anattack
profile.
Every virus I have ever been hit with would not have even been slowed down
by a firewall. The same thing the virus needs to communicate,..is the
thing the LAN needs to function,...in fact the LAN usually needs more. So
you end up with the virus usually not even being slowed down while at the
same time the LAN doesn't function properly because the firewall it in its
way.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
.
- References:
- Stand Alone DHCP Servers and Windows 2000
- From: Will
- Re: Stand Alone DHCP Servers and Windows 2000
- From: Robert Moir
- Re: Stand Alone DHCP Servers and Windows 2000
- From: Will
- Re: Stand Alone DHCP Servers and Windows 2000
- From: Will
- Stand Alone DHCP Servers and Windows 2000
- Prev by Date: Re: Connection from server to XPSP2 PC not allowed.
- Next by Date: Re: Can't ping Windows 2003 Ent SP1 R2 server after R2 Upgrade
- Previous by thread: Re: Stand Alone DHCP Servers and Windows 2000
- Next by thread: Re: Stand Alone DHCP Servers and Windows 2000
- Index(es):
Relevant Pages
|
