asp.net security: I'm setting up a linux firewall for my companies T1. All of our other machines
will be windoze. I also need to setup a Windows VPN server (can't use the linux
clients for reasons I can't get into here).

1) Someone suggested to me that I put the VPN in the linux DMZ and foward the
ports to that machine. Does that make sense?

2 I also have another security question which I have no idea how to handle. We
have some application (IIS) servers that we want on the internet. I can put
those outside of the firewall (or port foward 80 to that machine), BUT those
machines will need access to servers INSIDE the fireall (SQL Server). Any
suggestions on how to handle this one? I haven't a clue :(

-Mike

In article <74883250.0000426f.062@drn.newsguy.com>, ec-
nospam@microsoft.com says...
[quoted text, click to view]

In general, I always VPN into the firewall appliance and then create
rules that allow the VPN group(s) to access the resources that I want
them to be able to access.

[quoted text, click to view]

First - Web servers belong in the DMZ when they also provide public
access. You only enable 80/443 to them.

Second - The database server belongs in the LAN side - you create a rule
that maps 1433 (MS SQL) from the DMZ to the LAN (make sure that you map
IP Address:1433 to IP Address:1433). Do not just map 1433 from any IP to
any IP. Do not map any other ports from the DMZ to the LAN.

Third - Make a LAN port 80/443 to DMZ port 80/433 (ANY IP address on the
LAN) - do not map from the DMZ to the LAN with this rule.

Fourth - setup DNS inside your LAN - you need to create records for the
web server sites in your internal DNS so that the LAN users can get to
them using proper names. In many cases, a NAT through a firewall, will
not resolve names properly for DMZ private IP addresses and the users
will fail to connect.

Once your internal machines have the first DNS as your LAN DNS Server,
and secondary as your external DNS server, you should be able to browse
to the web server in the DMZ by web site name, and the rest of the
internet too.

There are many other rules you will need to create for normal browsing
and such, but these specifically cover your question.

As a means of making sure that you get a quality/secure result, hire an
IT security consultant to build it for you.

--
--
spamfree999@rrohio.com

Thanks for the great reply! That was very informative. I have a couple of
followup questions


[quoted text, click to view]

I need to use a Mircosoft VPN server to handle this, so if my firewall is linux,
how could I accomplish this?


[quoted text, click to view]


I'm a bit unclear what the above step does. What does this allow you to do?


Thanks again,

-Mike

Hi, Mike,

1) Is someone suggesting to put the Linux Firewall/VPN in DMZ ? If
so, do you
already have another firewall at the main gateway ? It does make
sense to
have a linux VPN in another location, if you already have a firewall
to
act as traffic cop for the traffic dedicated to the Linux VPN in the
DMZ. Forwarding traffic to another server especially when you are
dealing with issues with NAT & outside accessible 2-way traffic does
make sense.

2) Create a IPSEC VPN site-to-site using a small firewall/vpn
box/software residing on the ISS server, and make the appropriate
configurations on the gateway firewall to handle the secure 2 way
traffic to the secure SQL server on the inside. The setup you needs
to be take care of vpn traffic initiated from both inside and outside
using site-to-site VPN.

Dean




[quoted text, click to view]