blocking ports

Discussion in 'Server Networking' started by Hernán Castelo, Apr 12, 2004.

  1. hi
    i want to leave open only ports 80 and 443 on a web server
    i cant contact the person who has access to firewall...
    can i block the traffic by loading 80 and 443
    in tcp/ip - properties - advanced - options - tcp/ip filter ?
    may it be a strong solution ? or temporal ?

    thanks
     
    Hernán Castelo, Apr 12, 2004
    #1
    1. Advertisements

  2. Yes you can use the packet filtering ability in the TCP/IP properties, but
    they aren't as flexable as the filtering ability of the actual firewall.
     
    Phillip Windell, Apr 12, 2004
    #2
    1. Advertisements

  3. thanks,
    does it is a bad policy to block all ports but 80 and 443 ?
    (for a web server)
    what advantage do you see in blocking the ports at firewall
    rather than Tcp/Ip net-options
     
    Hernán Castelo, Apr 12, 2004
    #3
  4. It just depends on what you need. If you do that and everything still works
    then it is "good",...if you do that and a bunch of stuff quits working then
    it is "bad".
     
    Phillip Windell, Apr 12, 2004
    #4
  5. yes!
    but for serving asp pages
    tcp 80 and 443 is not enough?
     
    Hernán Castelo, Apr 12, 2004
    #5
  6. As far as the web site goes, yes, that is all. But FTP won't work if you
    use FTP to get the pages to the server to start with. You also cannot copy
    files to the server via network shares because Active Directory, Network
    Browsing, and virtually nothing else will work.

    You would end up having to do your editing and designing locally on the
    server or carry the files to it on a floppy or CD disk.

    But why do this at all? In your other post, according to your description,
    the webserver is on the same side of the firewall as your LAN, so why not
    just let the firewall do its job as it was designed to do and leave the web
    server alone?
     
    Phillip Windell, Apr 12, 2004
    #6
  7. thanks
    web server alone...
    you mean connect the wire coming to a switch
    and plug in the switch
    the firewall, by a side
    and the webserver, by the other ?
     
    Hernán Castelo, Apr 13, 2004
    #7
  8. (phillip,
    your dedication along this post
    is really appreciated, thanks)


    --
    atte,
    Hernán Castelo
    UTN Buenos Aires
    .. . . . . . . . . . . . . . . . . . . . . . . . . .
    "Phillip Windell" <@.> escribió en el mensaje
    As far as the web site goes, yes, that is all. But FTP won't work if you
    use FTP to get the pages to the server to start with. You also cannot copy
    files to the server via network shares because Active Directory, Network
    Browsing, and virtually nothing else will work.

    You would end up having to do your editing and designing locally on the
    server or carry the files to it on a floppy or CD disk.

    But why do this at all? In your other post, according to your description,
    the webserver is on the same side of the firewall as your LAN, so why not
    just let the firewall do its job as it was designed to do and leave the web
    server alone?
     
    Hernán Castelo, Apr 13, 2004
    #8
  9. It would look like this, the firewall is the dividing line between the two
    networks:

    |Their network| | Your network|
    Other Network <-->Firewall <--> switch <--> Webserver and all others
     
    Phillip Windell, Apr 13, 2004
    #9
  10. well, that is the current configuration
    but you said "web server alone"
    what does mean "alone"?

    --
    atte,
    Hernán Castelo
    UTN Buenos Aires
    .. . . . . . . . . . . . . . . . . . . . . . . . . .
    "Phillip Windell" <@.> escribió en el mensaje
    As far as the web site goes, yes, that is all. But FTP won't work if you
    use FTP to get the pages to the server to start with. You also cannot copy
    files to the server via network shares because Active Directory, Network
    Browsing, and virtually nothing else will work.

    You would end up having to do your editing and designing locally on the
    server or carry the files to it on a floppy or CD disk.

    But why do this at all? In your other post, according to your description,
    the webserver is on the same side of the firewall as your LAN, so why not
    just let the firewall do its job as it was designed to do and leave the web
    server alone?
     
    Hernán Castelo, Apr 13, 2004
    #10
  11. It means don't change anything on the webserver.

    Making the web server available to others outside your LAN is the job of the
    firewall not the webserver.

    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com


     
    Phillip Windell, Apr 13, 2004
    #11
  12. i understand
    in that case, the web sever and Lan users
    are plugged to the switch, sharing the same ms-network,
    then i can state access right to users and ips for each servers resources
    and the firewall provide security from guests, right?

    now, going back a little,
    filtering ports on "tcp/ip protocol" to 80 and 443
    does not make web server more secure ?

    once an intruder gain access to web server
    he can enter the rest of the Lan, or not?
    i feel i need another security measure more,
    because in case of an attack
    i can't simply say "it was responsability of the linux guy"
    i think the more i can do the better i help to be safe...

    please tell me what dou you think about this
    thanks


    --
    atte,
    Hernán Castelo
    UTN Buenos Aires
    .. . . . . . . . . . . . . . . . . . . . . . . . . .
    "Phillip Windell" <@.> escribió en el mensaje
    It means don't change anything on the webserver.

    Making the web server available to others outside your LAN is the job of the
    firewall not the webserver.

    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com


     
    Hernán Castelo, Apr 13, 2004
    #12
  13. Yes, but it may be too extreme and you may also prevent other things from
    working that you might need to work. It also makes a difference whether you
    filter at the firewall or at the webserver.
    Maybe, maybe not,...it just isn't that simple.
    There is a lot more to security than blocking or allowing ports. Everything
    running on the machine must be properly configured to make it secured. There
    is no way I can explain all that in an email message.
     
    Phillip Windell, Apr 13, 2004
    #13
  14. sure, ok
    i'm around other issues too
    i'm following
    http://msdn.microsoft.com/library/en-us/secmod/html/secmod89.asp
    and
    http://msdn.microsoft.com/library/en-us/secmod/html/secmod77.asp

    one last thing,
    the first document (link) above, it say (sic) under title "snapshot" :
    "All ports except 80 and 443 (SSL) are blocked,
    especially vulnerable ports 135-139 and 4"

    so, should i block the ports or not ?
    or i must understand that as:
    "block all the ports except 80 and 443
    and other necessary ones
    meanwhile they are not 135-139 and 4"

    (this is the last, i promisse
    thanks)

    --
    atte,
    Hernán Castelo
    UTN Buenos Aires
    .. . . . . . . . . . . . . . . . . . . . . . . . . .
    "Phillip Windell" <@.> escribió en el mensaje
    Yes, but it may be too extreme and you may also prevent other things from
    working that you might need to work. It also makes a difference whether you
    filter at the firewall or at the webserver.
    Maybe, maybe not,...it just isn't that simple.
    There is a lot more to security than blocking or allowing ports. Everything
    running on the machine must be properly configured to make it secured. There
    is no way I can explain all that in an email message.
     
    Hernán Castelo, Apr 13, 2004
    #14
  15. Those are good articles, but they are written for a situation where the web
    server is directly exposed to the Internet,...yours is not,...not only is it
    behind a firewall, but you even have another private network on the other
    side of the firewall according to your past descriptions.

    You should not do all that on the web server if you expect it to function
    with other machines on your LAN. Just do all your filtering at the firewall
    and that is good enough.
     
    Phillip Windell, Apr 14, 2004
    #15
  16. Very well, sir
    Thank you

    --
    atte,
    Hernán Castelo
    UTN Buenos Aires
    .. . . . . . . . . . . . . . . . . . . . . . . . . .
    "Phillip Windell" <@.> escribió en el mensaje
    Those are good articles, but they are written for a situation where the web
    server is directly exposed to the Internet,...yours is not,...not only is it
    behind a firewall, but you even have another private network on the other
    side of the firewall according to your past descriptions.

    You should not do all that on the web server if you expect it to function
    with other machines on your LAN. Just do all your filtering at the firewall
    and that is good enough.
     
    Hernán Castelo, Apr 14, 2004
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.