> Can ya provide some insight here Dave....I took a look at the > IP Security Policy GUI and honestly didn't know what I was > looking at. If it helps our setup is simple (and yes the > network is small...dev web server....file server...6 > workstations. We are using DSL with a D-Link router. > > I'm just not sure what I should block/allow? I assume I do > it by adding my own policies?
Well, the first step is to figure out what traffic you want to allow. As Jochem said, you'll want to deny everything, then specifically allow that traffic. So, what services do you host on that machine? What machines does that machine need to talk to, and why? Let's say, for example, that you have a web/application server. You probably need access to some or all of the filesystem, although you may be able to limit that access to machines on your internal network. Your filesystem access might be through FTP, or CIFS (Windows Networking). Your web/app server, in turn, might need to access a SQL Server database server on your local network, and you might want to be able to download patches directly from MS to that server. So, that gives us a working list of services, from which we can determine a list of allowed ports, inbound and outbound. Inbound: Web server - TCP/80, TCP/443 from everywhere File server - appropriate NetBIOS over IP ports, or DirectHost port, from internal network Outbound: SQL Server - TCP/1433 to database server Windows Update - TCP/80, TCP/443 to MS update servers Now, of course, it's very important to determine exactly what services your machine will provide, and what services it will need to use. For example, in the above case, your server wouldn't be able to find out the names of the database server, or the MS update servers, because we haven't included access to DNS. This might be intentional, in which case you'd have to figure out the appropriate IP addresses and put them directly on the server where needed. Also, your server won't be able to ping any other machines, nor will it be pingable itself. Again, this might be intentional, but you need to be aware of it. Here's a tutorial on how to use the GUI: http://homepages.wmich.edu/~mchugha/w2kfirewall.htm As Jochem mentioned, you can also do this with the netsh command-line tool, but I don't have a link handy for that. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243346 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
