Monday, 24 March 2008

Cisco Router DMZ

I did say before I would most likely come back to DMZ at a later date and I have, but first we will need to clear up some terms so that we don't get confused, first the naming for this blog I'm going to call the interfaces as follows public, private and DMZ this should keep things nice and clear also with the source and destination. The source is the IP and port that the traffic is coming from and the destination is well you guessed it.

Part one in bound traffic
in this example I have an private range of 192.168.32.x and a DMZ range of 192.168.30.x

now because the ranges of 192.168.x.x and others like 10.x.x.x and 172.16.x.x are well known to hackers and other spy programmes the first thing we are going to do is stop spoof packets entering the network

access-list 100 deny ip 192.168.30.0 0.0.0.255 any
access-list 100 deny ip 192.168.32.0 0.0.0.255 any
access-list 100 permit ip any any

this access list is applied to my public interface in this case serial0/0

interface serial0/0
access-group 100 in

notice the word in is used if i had use out I would have blocked all traffic with this ip leaving my network but as I've changed to in i am blocking all traffic with these ip entering my network.

now I'm going to create another access-list to allow only the DMZ traffic on the DMZ interface

access-list 101 permit ip 192.168.30.0 0.0.0.255 any

and apply it to my DMZ interface in this case ethernet0/0

interface ethernet0/0
access-group 101 in

now I'm going to the private network and stop all but my internal range from being able to use this interface.

access-list 102 permit ip 192.168.32.0 0.0.0.255 any

and apply this to my private interface that in this case is ethernet0/1

interface ethernet0/1
access-group 102 in

OK now we have the first part done we have setup what traffic can enter our network on each interface but we haven't yet said what can leave it, at the moment any traffic an leave our network as long as it has the right ip range for that interface, so it time to create three more access lists one for each interface with the out command, first up is the public interface.

just before we begin on creating these list we need to look at what we need to allow and where from... we don't want to allow everything as this would make the list useless and at the same time we need to allow some traffic so make a quick list of what services need access to the outside world.

in my case I have an email, DNS, web and Proxy server on the DMZ these are access from both the public and private networks.

Part Two out bound traffic
first lets say we want to be ping the outside world and the DMZ from the private LAN so we will need ICMP, I'm also going to need my DNS server to be able to send a receive DNS zone updates and requests.

now I've put my server on the following IP this will make it easier when you read the access lists to see where the traffic is going.

eMail 192.168.30.4
DNS 192.168.30.3
Web 192.168.30.2
Proxy 192.168.30.1

I'm also going to apply the out going access list on the interfaces like this
list 103 Public interface
list 104 DMZ interface
list 105 Private interface

First we'll build the ACL for the public interface this should allow all you out bound connection to go to the internet from your DMZ


access-list 103 permit tcp any host 192.168.30.0 0.0.0.255 established
access-list 103 permit udp host 192.168.30.3 eq domain any eq domain
access-list 103 permit udp host 192.168.30.3 gt 1023 any eq domain
access-list 103 permit udp host 192.168.30.3 eq domain any gt 1023
access-list 103 permit tcp host 192.168.30.3 any eq domain
access-list 103 permit icmp 192.168.30.0 0.0.0.255 any echo-reply
access-list 103 permit tcp host 192.168.30.1 any
access-list 103 permit tcp host 192.168.30.4 any eq smtp


After that we have the all important DMZ this has to allow traffic back to the internet and to the LAN but only what is needed


access-list 104 permit tcp any host 192.168.30.0 0.0.0.255 established
access-list 104 permit udp any eq domain host 192.168.30.3 eq domain
access-list 104 permit udp any eq domain host 192.168.30.3 gt 1023
access-list 104 permit udp any gt 1023 host 192.168.30.3 eq domain
access-list 104 permit icmp any 192.168.30.0 0.0.0.255 echo
access-list 104 permit tcp any host 192.168.30.2 eq www
access-list 104 permit tcp 192.168.32.0 0.0.0.255 host 192.168.30.1 range ftp-data ftp
access-list 104 permit tcp 192.168.32.0 0.0.0.255 host 192.168.30.1 eq telnet
access-list 104 permit tcp 192.168.32.0 0.0.0.255 host 192.168.30.1 eq 8080
access-list 104 permit tcp any eq ftp-data host 192.168.30.1 gt 1023
access-list 104 permit tcp any host 192.168.30.4 eq smtp
access-list 104 permit tcp host 172.16.1.2 host 192.168.30.3 eq domain
access-list 104 permit tcp host 172.16.1.4 host 192.168.30.3 eq domain


And finally we configure the private interface to let traffic on the DMZ into the LAN reply to request from the LAN

access-list 105 permit tcp 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255 established
access-list 105 permit icmp 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255 echo-reply
access-list 105 permit tcp host 192.168.30.1 eq ftp-data 192.168.32.0 0.0.0.255 gt 1023
access-list 105 permit tcp host 192.168.30.4 192.168.32.0 0.0.0.255 eq smtp

now that all the access list have been written we need to apply them to the interface like so.

interface serial0/0
access-group 100 in
access-group 103 out

interface ethernet0/0
access-group 101 in
access-group 104 out

interface ethernet0/1
access-group 102 in
access-group 105 out

I hope all this hasn't a lost you, if I have or you need more detail on something write me a comment I do read them.

Thursday, 20 March 2008

IIS6 Optimized

In lager environments you can load balance your web farm and can most likely just add another server where needed but in smaller farms this can be a cost issue, so here are some tips on getting the best out of your IIS box also these tips apply to SharePoint so those of you using SharePoint Services might want to take note too.

1) Under the System Properties change the performance options for Processor scheduling to Background services and Memory usage to System cache, this will improve the performance of services like IIS but on servers running citrix and other programs that run on top of the server is is not recommended as the sessions will slow down.

2) split the page file across logical partitions, move the I/O over the drives to prevent bottlenecks in paging.

3) On the network cards set: Maximize data throughput for network applications. this will make the system cache bigger.

4) Configure the worker process to be recycled after consuming a set amount of memory or number of connections under each application pool. This will prevent both the pool from taking up to much memory and also stop the pool from hanging as its too large to recycle.


This simple steps will help your system remain stable and keep IIS running longer without problems, but in the long run i would recommend looking to an active/active cluster with windows network load balancing

Saturday, 8 March 2008

Building a Secure SharePoint Server

There are some rules when building your sharepoint environment one of them is to locate your sharepoint server where it will be used if its for internal use only then behind the firewall and network protection of your company, if its going to be public facing then somewhere on your DMZ and if you don't have a DMZ you should build one. I will most likely cover how to build a DMZ in another blog posting later.

So here are the steps for a medium and large environment at the steps for SBS are not the same and if you have every thing on one box like SBS you have already broken the security rules of never having all your password in one place.

Step One
First thing you need to do is create a service account, now remember that this should not be used by a person and there for never changes so a complex password is a good idea as you do not want this account to be hacked, this account should have only user rights to the domain and local admin rights on the SQL server its self.

Step Two
Installing SQL 2005 components you install are always going to be up to what your needs are but the important think is to use windows authentication, another tip is to create this as an instance not just as a default instance, also something to think about is if your using this SQL server for other SQL applications if yes then put them on a difrant instance to avoide security issues, remember it is recommended to have an instance per department or role so as an example you would never put the finance database in the same instance as public web facing databases, as the install gets to the end you will be asked for an account for it to run under this is where you enter your service account.

Step Three
Loss ends are left even when windows authenation is used as an example there is still an SA user and even if you can authnticate with it at the moment that might change so i strongly recommend you create complex password for SA and rename SA or better yet disable it, I like to disable it as its more secure

Here is some sample script to do it
ALTER LOGIN sa WITH NAME = DBA_ADMIN
ALTER LOGIN DBA_ADMIN DISABLE

Step Four
Since some one will have to act as your database administrator and it no a good idea for it to be all of the admin team as some don't have the skill you should add a group that will have sys admin rights, with 2005 a default group is created with this right if you want to use it

"domain\SQLServer2005MSSQLUser$server$instance"

this group name is made upi of your domain server and instance name so should be unlike any other in your domain, make sure the Database Administrator is a member of this group before doing step six.

Step Five
Make sure you have at least one database administrator before you do this as other wise you risk locking yourself out of SQL.
Remove bultin\administrators logon in SQL

Install the most current service pack and hotfixes as with all products its only as secure as the latest fix.

Step Six
This is one you might not all use but i do recommend it if you have the CPU and drive space for large event log files enable C2 Auditing, this can only be done by query the syntax is as follows

exec sp_configure 'c2 audit mode', 1
go
RECONFIGURE
go

depending on your version of SQL you might not be able to use this command without first enabling advanced options, the can be enable by using the following syntax

EXEC sp_configure 'show advanced options', 1
go
RECONFIGURE
go


Now for the moment you've been waiting for...
The SharePoint Install
Installing Sharepoint doesn't take to long now you've got your SQL setup

Step One
Create a service account for SharePoint to use this only need to be a normal domain user account but again remember no user will be logging on with it so make the name and the password complex.

Step Two
This is again before we start the SharePoint install is to add the service account for sharepoint to SQL it will need to be able to create config databases and content database and even index ones so you will need to assign it db_creator role to the account for it to function normally

Step Three
Install SharePoint use our secured SQL server to host the database do not install MSDE or SQL Express to your SharePoint box unless it is a stand alone server other wise you will oh defeated the point of creating a secure server at the beginning

Thursday, 6 March 2008

To Dot NET or not to Dot NET

The other day we had a large problem with applications and server that have .NET install for running scripts on server side such as ASP and thanks to a registry key missing the wrong version of .NET was detected so in response to that I thought I'd show you how to find the real version number.

find the VBC.exe on your computer you might have more than one, I have three in fact and the folder location as you can see shows the version numbers however this doesn't show the true version of the files in them
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727


in order to know the true version number you must run the file from command line

C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705>vbc
Microsoft (R) Visual Basic .NET Compiler version 7.00.9951
for Microsoft (R) .NET Framework version 1.00.3705.6060
Copyright (C) Microsoft Corporation 1987-2001. All rights reserved.

Now you see the true value is 1.00.3705.6060 showing the service pack and hotfix version on the end this is the only way sometimes of knowing what version is really installed as the registry has missing lines