| Author |
 Topic Search  Topic Options
|
Stevo 
Newbie
Joined: 11 November 2002
Location: Australia
Status: Offline
Points: 37
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: Securing External Access
Posted: 03 February 2004 at 8:06pm |
Hi All,
Just wondering if anyone can give me a quick pointer - i want to allow access for a single website through our firewall. We host multiple interal sites to which no access should be available. I was planning on assigning the 'externally available' site a high, obscure port number and only allow that port through firewall (and use port mapping through NAT), assign it to the site, and continue to block port 80. Will that give adequate security - and are there other concerns with allowing a no specific port through (eg 8299)?
Many thanks for any ideas,
Regards
Steve
|
 |
pmormr
Senior Member
Joined: 06 January 2003
Location: United States
Status: Offline
Points: 1479
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 February 2004 at 8:46am |
|
why? not using port 80 requires you to go through some extra steps for clients to access the website. If you're really that paranoid, then just set up something like VPN and make people connect to the intranet remotely before they can even see the website.
|
|
|
|
Stevo
Newbie
Joined: 11 November 2002
Location: Australia
Status: Offline
Points: 37
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 February 2004 at 10:06pm |
Well, opening up port 80 means that all our webs will be available. People will only access the site via a link anyway - which will only entail putting www.domain.com:8301/etc.asp the port no in the link. Not that much of a hassle. Dont want to be paranoid - just sensible.
Steve
|
|
Mart
Senior Member
Joined: 30 November 2002
Status: Offline
Points: 2304
|
Post Options
Thanks(0)
Quote Reply
Posted: 07 February 2004 at 5:32am |
|
Why not just use authentication on port 80? You don't need any scripts, just disallow anonymous access and make an account for everyone who you want to allow access.
|
|
Stevo
Newbie
Joined: 11 November 2002
Location: Australia
Status: Offline
Points: 37
|
Post Options
Thanks(0)
Quote Reply
Posted: 07 February 2004 at 11:10am |
Hi Mart,
The problem is that i dont want to have to create an account for every user, and many of them will just be the general public that will be accessing the pages as an online sample of our product. Thats why the access should more or less be freely available - but only to that application - thats why i keep coming back to securing through port.
However, i do feel that authentication is important - as i currently think our local intranet sites just use the anonymous account. So perhaps the 'exposed' site - through this port can use anon account, and the rest Win2K logons. I still cant make sense of allowing TCP port 80 traffic through..
Steve
|
|
pmormr
Senior Member
Joined: 06 January 2003
Location: United States
Status: Offline
Points: 1479
|
Post Options
Thanks(0)
Quote Reply
Posted: 07 February 2004 at 10:01pm |
 Stevo wrote:
I still cant make sense of allowing TCP port 80 traffic through.. |
Why not... there are thousands of sites around the world that still use port 80...
|
|
|
|
Stevo
Newbie
Joined: 11 November 2002
Location: Australia
Status: Offline
Points: 37
|
Post Options
Thanks(0)
Quote Reply
Posted: 08 February 2004 at 11:57am |
But of course - in fact its probably more like 100's of 1000's, but we dont personally have to resources to organise adequate security on how to do this... Unless someone here can tell me how, or give me a pointer in the direction for where i might learn.
I guess the very point of suggesting the obscure port through was to get ideas as to its validity and whether it would provide any measure of security to meet our needs. If other ideas are available, these would certainly be welcome too. We are just looking for a simple solution to the problem (that does not need to be individually customised/created for each user) that wont compromise our primary server - on which the site is hosted.
Any ideas are referrals (to sites, etc) are most welcome. Information on securing Win2K machines for external HTTP traffic seems to be few and far between.
Steve
|
|
pmormr
Senior Member
Joined: 06 January 2003
Location: United States
Status: Offline
Points: 1479
|
Post Options
Thanks(0)
Quote Reply
Posted: 09 February 2004 at 6:24pm |
just deny anonymous access to certain folders on your site... so ur directory structure might look like this
SITE HOME--- Anonymous access allowed
---default.asp --- anonymous access home page
---FOLDER:securesite --- Anonymous access denied
------default.asp --- secure site home page
|
|
|
|
