Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : securing server traffic (IPSEC maybe?)

[daninmanchester]

I need to secure a windows server 2003 traffic.

I have one server with a small number of clients <10. The clients have dynamic IPs.

The server hosts a number of public facing websites, email, FTP and remote desktop.

What I want to do is make port 80 respond to all web requests but lock all other services down so that they only respond to my 10 clients. I was thinking some certificate or VPN solution but I've ruled VPN out as I don't have a firewall or VPN so would I be able to do this with IPSEC?

Is there quick utility that would do this or can you point me to a good example article?

Thanks

[plumsauce]

Look into RRAS+IPSEC together.

This gives you packet filtering, pptp vpn, ipsec vpn. You can go as far as to require certificate authentication. Give a cert to each client.

[daninmanchester]

Thanks

Can I use IPSEC on its own or do I need RAS because of the dynamic IPs?

Will this wih the windows firewall and only port 80 open to the public offer me a secure solution over the internet?

I don't have a physical firewall other than the data centre perimeter one which Iknow very little about.

[plumsauce]

The RRAS is for the packet filters. It will disable the firewall. It also is what allows you to setup a VPN server, it is part of RRAS. Then you pick between PPTP or IPSEC for the VPN tunnels. PPTP is judged to be less secure, but easier to setup when the customer is behind a NAT'ed router. The tradeoff is often worth it. IPSEC can be a real pain behind a NAT. You might spend *days* supporting clients behind a NAT. In addition, they will have new problems everytime they try it from a hotspot.

You can use IPSEC on its own, but RRAS is a nice supplement.

[daninmanchester]

so RRAS would be much more superior and secure to the firewall?

I can look at using IPSEC for core services but may choose to leave it given your comments. Even with PPTP It will be more secure than what we have now ( direct FPT, POP, etc access).

IPSEC could be for site to site services if we can narrow these down and lock them out. It maybe that my clients router will act as a VPN endpoint but if this is a dynamic IP will IPSEC work?

[HoundOfTheSmith]

Also, look at OpenVPN (and SSL based VPN). You'd install the server software on your server and the client software on the client's PCs.

[plumsauce]

Quote:

Originally Posted by daninmanchester

so RRAS would be much more superior and secure to the firewall?

I can look at using IPSEC for core services but may choose to leave it given your comments. Even with PPTP It will be more secure than what we have now ( direct FPT, POP, etc access).

IPSEC could be for site to site services if we can narrow these down and lock them out. It maybe that my clients router will act as a VPN endpoint but if this is a dynamic IP will IPSEC work?

So, your final plan would be RRAS + PPTP VPN + packet filters. IPSEC is nice, but only if you control the endpoints. Your customers will be forever whining about some *minor* change to suit their whims.

Forget OpenVPN unless you have no other choice. It is pointless to graft on a separate package when MS has a pre-engineered solution.

Final word of advice, if you are configuring using terminal services, the very first rules that you put in are rules to allow terminal services to be accessible.

[daninmanchester]

I was reading about L2TP and this does seem the stronger solution which I would prefer.
My clients aren't that fussy as long as they have FTP, POP, SMTP.

The rest of the world just needs port 80 so I would need to make sure I locked this part of the system down but the VPN would protect the other 3rd party services (which is where I think previous incidents have come from)

I have remote KVM over IP but do sometimes use remote desktop as it's a bit smoother to use over a good connection.

One other key question.... is there a way I can issue a physical certificate which the user installs and they have an "always on" connnection (i.e. no dialing into the VPN) but retain access to their local services?

I would want to renew these certificates regularly and enforce a password policy.
Does that make sense?

[daninmanchester]

Do you know of an article that can talk me through setting up a win2K3 single NIC box for remote desktop access?

[daninmanchester]

Right I've got it up and runnig and been having a play.
There is a caveat tho.....it disables windows firewall and the NAT firewall doesn't seem to allow to specifiy an IP scope. is there a way round this?

I wanted to import around 1000 IP rules which I think can be done in windows firewall throguh the .inf file.

I'm starting to think maybe there is a better firewall VPN solution for windows?

[daninmanchester]

I managed to script this using IPSECCMD but the problem is that If I script more than about 100 filters per IPSECCMD I get command line is too long and I don't seem to be able to append filters to a rule using this command.

Given then I want to allow somewhere in th order of 3000 subnets for the UK and block probably more for the likes of China is there a beter way to do this?