SBS 2003 NAT\Basic Firewall built-in (Chapter 5 excerpt)

howdy-howdy….harrybbbb here posting up more of my Windows Small Business Server 2003 Best Practices book for your general consumption…hope to havethe whole darnt hing posted up by the time SBS 2008 ships!

harrybbbb

Harry Brelsford | ceo at smb nation | www.smbnation.com

###

Defining Basic Firewall/NAT

Meanwhile, back in the lecture hall, it’s time to lay one down on you about NAT and the Basic Firewall. You can use Basic Firewall to help secure your network from unsolicited public network traffic, such as traffic sent from the Internet. People who send such traffic might be trying to access your network without your permission. You can enable Basic Firewall for any public interface, including one that also provides network address translation (also known as NAT, an Internet Protocol (IP) translation process that allows a network with private addresses to access information on the Internet for your network).

How Basic Firewall Works

First of all, what is a firewall? Quoting directly from the online help system in SBS 2003: A firewall is a combination of hardware and software that provides

 Visit http://www.smbnation.com for additional SMB and SBS book, newsletter and conference resources.

a security system, usually to prevent unauthorized access from outside to an internal network or intranet. A firewall prevents direct communication between network and external computers by routing communication through a proxy server outside the network. The proxy server determines whether it is safe to let a file pass through to the network. Also called a security-edge gateway.

Next, the Basic Firewall provided via RRAS in SBS 2003 is a stateful firewall which combines dynamic packet filtering of network traffic with a set of static packet filters. Said Basic Firewall monitors traffic that travels through the interface for which Basic Firewall is enabled. If the interface is configured for private network traffic only, Basic Firewall will route traffic among the computers on the private network only. The Basic Firewall will route traffic between a private network and virtual private network (VPN). I define a VPN below in the advanced section.

If the interface is configured for private network traffic and to provide NAT, each packet’s source and destination addresses are recorded in a table. All traffic from the public network is compared to the entries in the table. Traffic from the public network can reach the private network only if the table contains an entry that shows that the communication exchange originated from within the private network. In this way, Basic Firewall prevents unsolicited traffic from a public network (such as the Internet) from reaching a private network. This is a key point, pardner: We’re keeping the bad guy out here.

Service Accessibility

Perhaps you noticed earlier in this RRAS section that adding the additional services by name and port was as easy as dropping beneath the hood and simply selecting from the bevy of services contained on the Services and Ports screen (which you observed in the last step-by-step procedure above). The services on the Services and Ports screen are listed here.

                      FTP Server

                      Internet Mail Access Protocol Version 3 (IMAP3)

                      Internet Mail Access Protocol Version 4 (IMAP4)

                      Internet Mail Server (SMTP)

 

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

 

                      IP Security (IKE)

                      IP Security (IKE NAT Traversal)

                      Post-Office Protocol Version 3 (POP3)

                      Remote Desktop

                      Secure Web Server (HTTPS)

                      Telnet Server

                      VPN Gateway (L2TP/IPSec – running on this server)

                      VPN Gateway (PPTP)

                      Web Server (HTTP)

 

And if you insist, you can always add different services via the Add button on the Services and Ports tab just like you could back in the EICW.

Get Certified!

A cool feature that is managed by the Web Server Certificate page in the EICW is the ability to easily install a self-signed certificate on your SBS 2003 server machine.

BEST PRACTICE: Note the self-signed certificate is not the same as installing and configuring Certificate Services to create a certificate authority. (You can see via Control Panel, Add/Remove Programs, Windows Components that Certificate Services HAS NOT BEEN INSTALLED and configured after the Web Server Certificate page in the EICW is complete.) As author Roberta Bragg put it to me, it’s “kool” but it’s not Certificate Services. This is important to understand and perhaps you’d want to proceed to install Certificate Services for other purposes such as e-commerce. That suggestion begs the next point.

So, do you need to continue to pay the SSL King (Verisign) his ransom in the world of SBS 2003? The answer is perhaps not if you were using Certificate Services as your certificate authority. So, save those dollars to be spent on something more meaningful like taking your spouse/partner out to dinner (a real nice dinner in Vegas with your Verisign savings!).

Real world speaking, this self-signed Web certificate will be most noticeable in two ways to users. First, the address in a Web browser (known as the URL) will start with the prefix HTTPS. Second, you’ll typically need to approve the certificate when a security dialog box appears as a user commences a Web session on the SBS 2003 server. And how do you explain this to the same real-world users? Tell them this is akin to logging on to their bank (e.g., Wells Fargo) or brokerage firm (e.g., ETrade).

BEST PRACTICE: The Web Server Certificate page in the EICW is dramatically reducing the number of keystrokes you had to perform in the SBS 2000 time frame to achieve the “nearly” same kind of security-related functionality (granted, I’m comparing apples to oranges here for a few minutes, but go with it). Again, a self-signed certificate and Certificate Services are not the exact same thing.

In my now retired Advanced SBS 2000 Workshop, I demonstrated the keystrokes necessary to (1) install Certificate Services from Control Panel, Add/Remove Programs, Windows Components, (2) create a self-signed certificate, (3) apply the certificate to the appropriate locations (e.g., root of the default Web site in SBS 2003 that houses OWA), and (4) apply the SSL setting to child objects (e.g., the Public folder under IIS). Note these steps, in the SBS 2000 time frame, were documented in the following documents:

                      a white paper titled “Step-by-Step Guide for Setting Up a Cer­tificate Authority”

                      the following KBase article: “Turning on SSL for Exchange 2000 Server Outlook Web Access” (Q320291)

 

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

          KBase article: “How to Force SSL Encryption for an Outlook Web Access 2000 Client” (Q279681)

This kinda stuff is now handled via the Web Server Certificate page in the EICW (at least as far as the typical SBS network is concerned). Note the enterprise security folks reading this book would of course beg to differ and point out huge differences in a self-signed certificate and Certificate Services, such as the ability to issue certificates for IPSec (which our little ol’ self-signed certificate can’t do). Enough said.

Advanced SBS Security Topics

No chapter worth its security salt could be devoid of a few advanced security topics even though said topics are beyond the scope of this introductory volume on SPRINGERS! While my future advanced SBS 2003 text will delve deeper and fly further on a single tank of gas, try on a few of the following advanced security topics for size. Security is of such importance that this is one time we can clearly take a respite from the SPRINGERS story line and explore:

Hardware-Based Firewall

Yes, Virginia, there is native SBS 2003 support for hardware-based firewalls. It’s kosher as well and you’ll be accepted in the open and affirming SBS community. Best of all, when you select the router option in the EICW as you set up the network connection (see the third screen regarding connection type in the EICW), you’ll be able to take advantage of a really cool SBS 2003 feature: It automatically configures hardware-based routers as part of its wizardry! Say what? This isn’t a misprint. What occurs is this. If your hardware-based firewall is Universal Plug and Play (UPNP) compliant (this is an industry standard) and you provide sufficient credentials (that allow you to configure the hardware-based firewall itself), then the EICW will open the correct ports to support the services you’ve selected that need access from the Internet.

Dual-Firewall

Another popular configuration with SBS 2003 is to implement a dual firewall. In this case, you’d use the built-in firewall capability in SBS 2003 and then supplement that on the network border with an additional firewall. Note this additional firewall is typically hardware-based, but could very well be a software-based firewall from another vendor. A view of a dual firewall scenario is shown in Figure 5-12.

Figure 5-12

This is your road map for implementing a dual-firewall scenario with SBS 2003.

BEST PRACTICE: You could implement a dual firewall scenario with either SBS 2003 standard edition (with the RRAS NAT/Basic Firewall) or SBS 2003 premium edition (with ISA Server 2000 discussed later in Chapter 13).

What Is a VPN?

No, this isn’t a trick question. Many readers of this book might not actually know what a VPN is. Don’t believe me? Then you should have been there during the filming of an SBS setup video at Microsoft Studios on 158th Ave NE in Redmond the day we forgot to define VPN in the script. An important marketing manager discovered this omission and we had to play some Hollywood magic to splice in a short lecture on VPN connectivity in the post production phase. Needless to say, this drove up the video costs and since that day, I’ve never forgotten to add this lecture in any chapter where it makes sense.

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

Here is the official definition of a VPN taken from the online help system in SBS 2003: The extension of a private network that encompasses encapsulated, encrypted, and authenticated links across shared or public networks. VPN connections can provide remote access and routed connections to private networks over the Internet client computers. However, computers that are part of a private network will not be able to detect computers outside of the private network, and computers that are not part of the private network will not be able to detect computers that belong to the private network.

Relating VPN connectivity to security is the next step. You might be saying “Who cares?” at this point. Both you and I care. When the shoe fits, establishing a VPN connection using either the point-to-point tunneling protocol (a poor man’s encryption method) or layer-two tunneling protocol (a rich man’s encryption method that requires a certificate authority) creates a secure link between a remote computer and the SBS 2003 network. Essentially, you can compute with less worry from afar.

BEST PRACTICE: I’ll touch on VPN connectivity in Chapter 8 again with step by step procedures. And don’t forget you actually configured server-side VPN connectivity in Chapter 4 when you completed the Configure Remote Access link. Be advised much deeper discussion is beyond the scope of this introductory SBS 2003 volume. Look for richer VPN discussion in my advanced SBS 2003 text due in mid-2004.

Advertisements

Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s