blocking ports

hi
i want to leave open only ports 80 and 443 on a web server
i cant contact the person who has access to firewall...
can i block the traffic by loading 80 and 443
in tcp/ip - properties - advanced - options - tcp/ip filter ?
may it be a strong solution ? or temporal ?

thanks

 

Yes you can use the packet filtering ability in the TCP/IP properties, but
they aren't as flexable as the filtering ability of the actual firewall.

 

thanks,
does it is a bad policy to block all ports but 80 and 443 ?
(for a web server)
what advantage do you see in blocking the ports at firewall
rather than Tcp/Ip net-options

 

It just depends on what you need. If you do that and everything still works
then it is "good",...if you do that and a bunch of stuff quits working then
it is "bad".

 

yes!
but for serving asp pages
tcp 80 and 443 is not enough?

 

As far as the web site goes, yes, that is all. But FTP won't work if you
use FTP to get the pages to the server to start with. You also cannot copy
files to the server via network shares because Active Directory, Network
Browsing, and virtually nothing else will work.

You would end up having to do your editing and designing locally on the
server or carry the files to it on a floppy or CD disk.

But why do this at all? In your other post, according to your description,
the webserver is on the same side of the firewall as your LAN, so why not
just let the firewall do its job as it was designed to do and leave the web
server alone?

 

thanks
web server alone...
you mean connect the wire coming to a switch
and plug in the switch
the firewall, by a side
and the webserver, by the other ?

 

(phillip,
your dedication along this post
is really appreciated, thanks)


--
atte,
Hernán Castelo
UTN Buenos Aires
.. . . . . . . . . . . . . . . . . . . . . . . . . .
"Phillip Windell" <@.> escribió en el mensaje
As far as the web site goes, yes, that is all. But FTP won't work if you
use FTP to get the pages to the server to start with. You also cannot copy
files to the server via network shares because Active Directory, Network
Browsing, and virtually nothing else will work.

You would end up having to do your editing and designing locally on the
server or carry the files to it on a floppy or CD disk.

But why do this at all? In your other post, according to your description,
the webserver is on the same side of the firewall as your LAN, so why not
just let the firewall do its job as it was designed to do and leave the web
server alone?

 

It would look like this, the firewall is the dividing line between the two
networks:

|Their network| | Your network|
Other Network <-->Firewall <--> switch <--> Webserver and all others

 

well, that is the current configuration
but you said "web server alone"
what does mean "alone"?

--
atte,
Hernán Castelo
UTN Buenos Aires
.. . . . . . . . . . . . . . . . . . . . . . . . . .
"Phillip Windell" <@.> escribió en el mensaje
As far as the web site goes, yes, that is all. But FTP won't work if you
use FTP to get the pages to the server to start with. You also cannot copy
files to the server via network shares because Active Directory, Network
Browsing, and virtually nothing else will work.

You would end up having to do your editing and designing locally on the
server or carry the files to it on a floppy or CD disk.

But why do this at all? In your other post, according to your description,
the webserver is on the same side of the firewall as your LAN, so why not
just let the firewall do its job as it was designed to do and leave the web
server alone?

 

It means don't change anything on the webserver.

Making the web server available to others outside your LAN is the job of the
firewall not the webserver.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

 

i understand
in that case, the web sever and Lan users
are plugged to the switch, sharing the same ms-network,
then i can state access right to users and ips for each servers resources
and the firewall provide security from guests, right?

now, going back a little,
filtering ports on "tcp/ip protocol" to 80 and 443
does not make web server more secure ?

once an intruder gain access to web server
he can enter the rest of the Lan, or not?
i feel i need another security measure more,
because in case of an attack
i can't simply say "it was responsability of the linux guy"
i think the more i can do the better i help to be safe...

please tell me what dou you think about this
thanks


--
atte,
Hernán Castelo
UTN Buenos Aires
.. . . . . . . . . . . . . . . . . . . . . . . . . .
"Phillip Windell" <@.> escribió en el mensaje
It means don't change anything on the webserver.

Making the web server available to others outside your LAN is the job of the
firewall not the webserver.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

 

Yes, but it may be too extreme and you may also prevent other things from
working that you might need to work. It also makes a difference whether you
filter at the firewall or at the webserver.

Maybe, maybe not,...it just isn't that simple.

There is a lot more to security than blocking or allowing ports. Everything
running on the machine must be properly configured to make it secured. There
is no way I can explain all that in an email message.

 

sure, ok
i'm around other issues too
i'm following
http://msdn.microsoft.com/library/en-us/secmod/html/secmod89.asp
and
http://msdn.microsoft.com/library/en-us/secmod/html/secmod77.asp

one last thing,
the first document (link) above, it say (sic) under title "snapshot" :
"All ports except 80 and 443 (SSL) are blocked,
especially vulnerable ports 135-139 and 4"

so, should i block the ports or not ?
or i must understand that as:
"block all the ports except 80 and 443
and other necessary ones
meanwhile they are not 135-139 and 4"

(this is the last, i promisse
thanks)

--
atte,
Hernán Castelo
UTN Buenos Aires
.. . . . . . . . . . . . . . . . . . . . . . . . . .
"Phillip Windell" <@.> escribió en el mensaje

Yes, but it may be too extreme and you may also prevent other things from
working that you might need to work. It also makes a difference whether you
filter at the firewall or at the webserver.

Maybe, maybe not,...it just isn't that simple.

There is a lot more to security than blocking or allowing ports. Everything
running on the machine must be properly configured to make it secured. There
is no way I can explain all that in an email message.

 

Those are good articles, but they are written for a situation where the web
server is directly exposed to the Internet,...yours is not,...not only is it
behind a firewall, but you even have another private network on the other
side of the firewall according to your past descriptions.

You should not do all that on the web server if you expect it to function
with other machines on your LAN. Just do all your filtering at the firewall
and that is good enough.

 

Very well, sir
Thank you

--
atte,
Hernán Castelo
UTN Buenos Aires
.. . . . . . . . . . . . . . . . . . . . . . . . . .
"Phillip Windell" <@.> escribió en el mensaje
Those are good articles, but they are written for a situation where the web
server is directly exposed to the Internet,...yours is not,...not only is it
behind a firewall, but you even have another private network on the other
side of the firewall according to your past descriptions.

You should not do all that on the web server if you expect it to function
with other machines on your LAN. Just do all your filtering at the firewall
and that is good enough.