Is this the most secure way?

agw_01 · 15 Aug 2007 at 13:04

Hi guys,

Got a machine set up at home running IIS and POP/SMTP servers which is hosting my website. I've got a domain and that's all setup, I can access the site and send/receive e-mails so that's not a problem.

What I'm looking for, is a second opinion on the security configuration. I've looked around a few websites but can't find anything set in stone and obviously, don't want to leave my system open to hackers and what-not so would appreciate some advice.

Basically, 3 ports are open on the server... let's say port 8000 for HTTP, port 1111 for POP3 and port 2525 for SMTP with each service configured for those ports respectively. The machine has a static IP.

The router is set up to forward ports 80, 25 and 110 to the ports open on the server. Obviously, by doing a port probe on 'Shields Up' it lists the open ports as a critical issue, but with the ports simply being forwarded (i.e. port 80 on the server isn't open) and NAT being used, is this secure?

Thanks

marc2003 · 15 Aug 2007 at 13:13

rofl, ignore shields up. how else can you run a webserver without having port 80 open.

critical issue? best shut down the whole internet then. it's far too dangerous.

the only security issues you need to worry about is your server configuration. is your smtp server secure? webserver secure? not just configuration but the server software itself. all up to date? any cgi/php/whatever scripts that you run? are they secure. etc.....

Curiosityx · 15 Aug 2007 at 13:18

If you want to do things properly youll want a dedicated hardware firewall, a Cisco ASA 5505 would do the job nicely, the difference between this and simple port forwarding is that although you still perform forwarding on the firewall all traffic even that is allowed to pass through the device is inspected for anomalies.

You can take it further and configure application specific inspection per port or service to turn the performance but the basic inspect commands do a sufficient job.

So yes the setup is relatively secure but still vulnerable to attack if you haven't patched the server properly as traffic that is forwarded is not inspected.

#Chri5# · 15 Aug 2007 at 13:19

Just to add - is your SMTP server relay secure?

agw_01 · 15 Aug 2007 at 13:19

marc2003 said:
rofl, ignore shields up. how else can you run a webserver without having port 80 open.

critical issue? best shut down the whole internet then. it's far too dangerous.

the only security issues you need to worry about is your server configuration. is your smtp server secure? webserver secure? not just configuration but the server software itself. all up to date? any cgi/php/whatever scripts that you run? are they secure. etc.....

haha, I wasn't saying "Oh noes, port 80 is open and I'm going to get hacked"

I was just asking whether my configuration was the most secure way of doing things (on a budget anyway)? I mean, if someone did gain access through port 80, would the router simply forward their packets to port 8000 giving them the same access as though the server was sitting on port 80?

I understand that NAT is very good at this kind of thing, but again, with there being a port forward set up, would the packets of a hacker trying to compromise the security just be sent straight to the server therefore giving them direct access to that machine?

I see what you're saying with regards to the server software being secure. It's a completely legal copy of Windows 2003 Enterprise Server (bought it through work a while ago... gotta love company discounts!) and is all patched up with service pack 2 and all updates. I'm still getting to grips with it, but I'm fairly confident in my ability

#Chri5# said:
Just to add - is your SMTP server relay secure?

Yep

Curiosityx said:
You can take it further and configure application specific inspection per port or service to turn the performance but the basic inspect commands do a sufficient job.

So yes the setup is relatively secure but still vulnerable to attack if you haven't patched the server properly as traffic that is forwarded is not inspected.

I'll have a look into that, but what you're saying is good enough for me.

Obviously, I'm never going to get it super secure wthout spending large amounts of money, but as long as it's secure enough to stop some script-kiddie tapping his way in with a few commands, I'm happy.

marc2003 · 15 Aug 2007 at 13:40

agw_01 said:
I was just asking whether my configuration was the most secure way of doing things (on a budget anyway)? I mean, if someone did gain access through port 80, would the router simply forward their packets to port 8000 giving them the same access as though the server was sitting on port 80?

well whatever port you forward it to, the server will have to be configured to listen on that port? exactly the same as forwarding 80 -> 80 so you might as well do just that.

agw_01 · 15 Aug 2007 at 13:51

Yeah, that makes sense.

I just thought that by having the router essentially stealthing the server, it would make it a bit harder for someone to gain access.

No biggie if it doesn't. At least I know now.

Thanks for the help guys!

Snapshot · 16 Aug 2007 at 06:30

If you've got an old PC lying around, take a look at the free software firewall offerings such as Smoothwall and IPCop.

Trifid · 16 Aug 2007 at 07:20

Will the PC need 2 nic's or would simply having the default gateway set as the firewall box work just as well?