1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help with Network Security

Discussion in 'Networks' started by nXPLOSi, Mar 23, 2011.

  1. nXPLOSi

    nXPLOSi Terabyte Poster

    2,874
    30
    151
    Hi Guys,

    A bit of background; Over here at my place we have created an ASP.NET intranet application that our field agents will access via PPTP VPN from netbooks we're giving them.

    What im worried about is our network security. At the moment the VPN lets traffic across any port (while we're in testing) but im looking to lock this down to only port 80 on the server that hosts the intranet site. (I cant see what else they'd need open to do the job required?).

    The netbooks currently VPN in, pickup an IP at our firewall after logging on after using username/password combo. They then open the intranet site and work away.

    Im hoping someone with some VPN/Security experience can help me out!

    Thanks :blink
     
    Last edited: Mar 23, 2011
    Certifications: A+, Network+, Security+, MCSA 2003 (270, 290, 291), MCTS (640, 642), MCSA 2008
    WIP: MCSA 2012
  2. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    can you not just specify what ports to use and not to use in the firewall settings?
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  3. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    Depends if you have other applications that require other ports to be open you would make your decision based on something like that... You could always allow only port 80 (HTTP) and/or 443(HTTPS) but that is if that's only what you need open.
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  4. nXPLOSi

    nXPLOSi Terabyte Poster

    2,874
    30
    151
    Yep!! We can indeed, and thats what I plan to do.

    My concern is that this is an area i've not worked in before so im thinking that there are potentially issues out there that im not even thinking of. There will eventually be around 40-50 guys out there VPN'ing in over this connection to get access to the intranet so I want to be as sure as I can with the Security etc.. :)
     
    Certifications: A+, Network+, Security+, MCSA 2003 (270, 290, 291), MCTS (640, 642), MCSA 2008
    WIP: MCSA 2012
  5. nXPLOSi

    nXPLOSi Terabyte Poster

    2,874
    30
    151
    As far as the VPN is concerned, I can only see them needing port 80. Im going to be locking it down to that tonight after hours and testing it all to ensure it all still works. Will that be pretty secure as far as allowing remote users in over that port to the single server thats hosting the site?
     
    Certifications: A+, Network+, Security+, MCSA 2003 (270, 290, 291), MCTS (640, 642), MCSA 2008
    WIP: MCSA 2012
  6. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    Some apps they use may require specific ports are open like for securty updates etc and I think some sites that they may go could require specific ports too. You could set it in port settings not to allow any ports over 2000 or something.

    Better to get the specs of the apps these people may be using so you can know for definet what they use. Any ports that are not used can be blocked and should cause any issues as far as I can see.
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  7. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    I'm not sure if your budget allows, but why not go for an SSL VPN Appliance like a SonicWall MRS4200? You could then couple this with Two Factor Authentication using a Key Fob or a on there mobile phone that generates a random number.

    This way you open up 443 to the SSL VPN Appliance and you then you publish whatever they are allowed to see onto the SSL VPN Appliance, in this case the intranet. So they will only ever have access to that on Port 80.

    In would work like this:

    - They go to a URL https://vpn.craigiesdomain.com/portal/craigie

    - Login with there AD username and password or Two Factor

    - They then see the intranet web site as a link.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  8. nXPLOSi

    nXPLOSi Terabyte Poster

    2,874
    30
    151
    Unfortunately our budget is pretty much zero; we're basicly being asked to work with what we have! :( Its a shame because that way of doing it sounds pretty cool!

    What i've managed to do is lockdown the VPN In and Out on our Watchguard to only allow port 80, and only to and from the server that is hosting the intranet site. I cant see much else I can do to lock it down to be honest?
     
    Certifications: A+, Network+, Security+, MCSA 2003 (270, 290, 291), MCTS (640, 642), MCSA 2008
    WIP: MCSA 2012

Share This Page

Loading...