howdy-howdy....harrybbbb here posting up more of my Windows
Small Business Server 2003 Best Practices book for your general
consumption...hope to havethe whole darnt hing posted up by the
time SBS 2008 ships!
harrybbbb
Harry Brelsford | ceo at smb nation | www.smbnation.com
###
Defining Basic Firewall/NAT
Meanwhile, back in the lecture hall, it’s time to
lay one down on you about NAT and the Basic Firewall. You can use
Basic Firewall to help secure your network from unsolicited
public network traffic, such as traffic sent from the Internet.
People who send such traffic might be trying to access your
network without your permission. You can enable Basic Firewall
for any public interface, including one that also provides
network address translation (also known as NAT, an Internet
Protocol (IP) translation process that allows a network with
private addresses to access information on the Internet for your
network).
How Basic Firewall Works
First of all, what is a
firewall? Quoting directly from the online help system in SBS
2003: A firewall is a combination of hardware and software that
provides
Visit www.smbnation.com for additional SMB
and SBS book, newsletter and conference resources.
a security system, usually to prevent
unauthorized access from outside to an internal network or
intranet. A firewall prevents direct communication between
network and external computers by routing communication through a
proxy server outside the network. The proxy server determines
whether it is safe to let a file pass through to the network.
Also called a security-edge gateway.
Next,
the Basic Firewall provided via RRAS in SBS 2003 is a stateful
firewall which combines dynamic packet filtering of network
traffic with a set of static packet filters. Said Basic Firewall
monitors traffic that travels through the interface for which
Basic Firewall is enabled. If the interface is configured for
private network traffic only, Basic Firewall will route traffic
among the computers on the private network only. The Basic
Firewall will route traffic between a private network and virtual
private network (VPN). I define a VPN below in the advanced
section.
If the
interface is configured for private network traffic and to
provide NAT, each packet’s source and destination addresses
are recorded in a table. All traffic from the public network is
compared to the entries in the table. Traffic from the public
network can reach the private network only if the table contains
an entry that shows that the communication exchange originated
from within the private network. In this way, Basic Firewall
prevents unsolicited traffic from a public network (such as the
Internet) from reaching a private network. This is a key point,
pardner: We’re keeping the bad guy out here.
Service Accessibility
Perhaps you noticed earlier in this RRAS section that
adding the additional services by name and port was as easy as
dropping beneath the hood and simply selecting from the bevy of
services contained on the Services and Ports screen (which you
observed in the last step-by-step procedure above). The services
on the Services and Ports screen are listed here.
•
; &nbs
p; FTP Server
•
; &nbs
p; Internet Mail Access Protocol Version 3 (IMAP3)
•
; &nbs
p; Internet Mail Access Protocol Version 4 (IMAP4)
•
; &nbs
p; Internet Mail Server (SMTP)
Visit www.microsoft.com/technet for the
latest updates for any Microsoft product.
•
; &nbs
p; IP Security (IKE)
•
; &nbs
p; IP Security (IKE NAT Traversal)
•
; &nbs
p; Post-Office Protocol Version 3 (POP3)
•
; &nbs
p; Remote Desktop
•
; &nbs
p; Secure Web Server (HTTPS)
•
; &nbs
p; Telnet Server
•
; &nbs
p; VPN Gateway (L2TP/IPSec - running on this server)
•
; &nbs
p; VPN Gateway (PPTP)
•
; &nbs
p; Web Server (HTTP)
And
if you insist, you can always add different services via the Add
button on the Services and Ports tab just like you could back in
the EICW.
Get Certified!
A
cool feature that is managed by the Web Server Certificate page
in the EICW is the ability to easily install a self-signed
certificate on your SBS 2003 server machine.
BEST PRACTICE: Note the self-signed
certificate is not the same as installing and configuring
Certificate Services to create a certificate authority. (You can
see via Control Panel, Add/Remove Programs, Windows Components
that Certificate Services HAS NOT BEEN INSTALLED and configured
after the Web Server Certificate page in the EICW is complete.)
As author Roberta Bragg put it to me, it’s
“kool” but it’s not Certificate Services. This
is important to understand and perhaps you’d want to
proceed to install Certificate Services for other purposes such
as e-commerce. That suggestion begs the next point.
So, do you need to continue to pay the
SSL King (Verisign) his ransom in the world of SBS 2003? The
answer is perhaps not if you were using Certificate Services as
your certificate authority. So, save those dollars to be spent on
something more meaningful like taking your spouse/partner out to
dinner (a real nice dinner in Vegas with your Verisign savings!).
Real
world speaking, this self-signed Web certificate will be most
noticeable in two ways to users. First, the address in a Web
browser (known as the URL) will start with the prefix HTTPS.
Second, you’ll typically need to approve the certificate
when a security dialog box appears as a user commences a Web
session on the SBS 2003 server. And how do you explain this to
the same real-world users? Tell them this is akin to logging on
to their bank (e.g., Wells Fargo) or brokerage firm (e.g.,
ETrade).
BEST
PRACTICE: The Web Server Certificate page in the EICW is
dramatically reducing the number of keystrokes you had to perform
in the SBS 2000 time frame to achieve the “nearly”
same kind of security-related functionality (granted, I’m
comparing apples to oranges here for a few minutes, but go with
it). Again, a self-signed certificate and Certificate Services
are not the exact same thing.
In my
now retired Advanced SBS 2000 Workshop, I demonstrated the
keystrokes necessary to (1) install Certificate Services from
Control Panel, Add/Remove Programs, Windows Components, (2)
create a self-signed certificate, (3) apply the certificate to
the appropriate locations (e.g., root of the default Web site in
SBS 2003 that houses OWA), and (4) apply the SSL setting to child
objects (e.g., the Public folder under IIS). Note these steps, in
the SBS 2000 time frame, were documented in the following
documents:
•
; &nbs
p; a white paper titled “Step-by-Step Guide for
Setting Up a Certificate Authority”
•
; &nbs
p; the following KBase article: “Turning on SSL for
Exchange 2000 Server Outlook Web Access” (Q320291)
Visit www.microsoft.com/technet for the
latest updates for any Microsoft product.
•
KBase
article: “How to Force SSL Encryption for an Outlook Web
Access 2000 Client” (Q279681)
This
kinda stuff is now handled via the Web Server Certificate page in
the EICW (at least as far as the typical SBS network is
concerned). Note the enterprise security folks reading this book
would of course beg to differ and point out huge differences in a
self-signed certificate and Certificate Services, such as the
ability to issue certificates for IPSec (which our little
ol’ self-signed certificate can’t do). Enough said.
Advanced SBS Security Topics
No
chapter worth its security salt could be devoid of a few advanced
security topics even though said topics are beyond the scope of
this introductory volume on SPRINGERS! While my future advanced
SBS 2003 text will delve deeper and fly further on a single tank
of gas, try on a few of the following advanced security topics
for size. Security is of such importance that this is one time we
can clearly take a respite from the SPRINGERS story line and
explore:
Hardware-Based Firewall
Yes, Virginia, there is native SBS 2003
support for hardware-based firewalls. It’s kosher as well
and you’ll be accepted in the open and affirming SBS
community. Best of all, when you select the router option in the
EICW as you set up the network connection (see the third screen
regarding connection type in the EICW), you’ll be able to
take advantage of a really cool SBS 2003 feature: It
automatically configures hardware-based routers as part of its
wizardry! Say what? This isn’t a misprint. What occurs is
this. If your hardware-based firewall is Universal Plug and Play
(UPNP) compliant (this is an industry standard) and you provide
sufficient credentials (that allow you to configure the
hardware-based firewall itself), then the EICW will open the
correct ports to support the services you’ve selected that
need access from the Internet.
Dual-Firewall
Another
popular configuration with SBS 2003 is to implement a dual
firewall. In this case, you’d use the built-in firewall
capability in SBS 2003 and then supplement that on the network
border with an additional firewall. Note this additional firewall
is typically hardware-based, but could very well be a
software-based firewall from another vendor. A view of a dual
firewall scenario is shown in Figure 5-12.
Figure 5-12
This is your
road map for implementing a dual-firewall scenario with SBS 2003.
BEST
PRACTICE: You could implement a dual firewall scenario with
either SBS 2003 standard edition (with the RRAS NAT/Basic
Firewall) or SBS 2003 premium edition (with ISA Server 2000
discussed later in Chapter 13).
What Is a VPN?
No,
this isn’t a trick question. Many readers of this book
might not actually know what a VPN is. Don’t believe me?
Then you should have been there during the filming of an SBS
setup video at Microsoft Studios on 158th Ave NE in Redmond the
day we forgot to define VPN in the script. An important marketing
manager discovered this omission and we had to play some
Hollywood magic to splice in a short lecture on VPN connectivity
in the post production phase. Needless to say, this drove up the
video costs and since that day, I’ve never forgotten to add
this lecture in any chapter where it makes sense.
Visit www.microsoft.com/technet for the
latest updates for any Microsoft product.
Here is the official definition of a
VPN taken from the online help system in SBS 2003: The extension
of a private network that encompasses encapsulated, encrypted,
and authenticated links across shared or public networks. VPN
connections can provide remote access and routed connections to
private networks over the Internet client computers. However,
computers that are part of a private network will not be able to
detect computers outside of the private network, and computers
that are not part of the private network will not be able to
detect computers that belong to the private network.
Relating VPN connectivity to security is the next step.
You might be saying “Who cares?” at this point. Both
you and I care. When the shoe fits, establishing a VPN connection
using either the point-to-point tunneling protocol (a poor
man’s encryption method) or layer-two tunneling protocol (a
rich man’s encryption method that requires a certificate
authority) creates a secure link between a remote computer and
the SBS 2003 network. Essentially, you can compute with less
worry from afar.
BEST PRACTICE: I’ll touch on VPN connectivity in Chapter
8 again with step by step procedures. And don’t forget you
actually configured server-side VPN connectivity in Chapter 4
when you completed the Configure Remote Access link. Be advised
much deeper discussion is beyond the scope of this introductory
SBS 2003 volume. Look for richer VPN discussion in my advanced
SBS 2003 text due in mid-2004.
