Firewalls n' such

[Mercutio]

Through my trainer job, I have come into contact with a mid-sized business - an architecture company - which is generally serviced by another contractor-type guy.

This guy likes to set up Windows Servers as primary internet servers; directly connecting his Windows machines to internet connection hardware (DSL modems et al).

I strongly prefer to put something that is *not* a general purpose computer on that link. I normally use a consumer router, or a Sonicwall for clients with real money. In the past I've used Linux boxes, but in my opinion there's too much possibility for abuse with all the open services and security issues on Windows servers for them to be connected directly to the internet.

The servers that this guy set up got owned. Hacked. The full tea-bagging. Rootkitted, spam relay, DDOS zombied, open FTP access. They even filled the hard disk with what appears to be random crap (MP3 files, porn, pirated software etc). Web site made to redirect to a random or specific phishing site... whomever compromised the internet server even went ahead and configured their internal servers to reinstall the hacks on their internet facing machine, if the initial hacks were detected and removed.

The guy who set this stuff up swears up, down, left and right that he's never, ever had a problem with his setup. I say I've never had a problem with mine, either, and *I* have never had a system hacked.

We're further arguing about what to do with these hacked servers - I say they should be rebuilt (on his, and not the customer's dime) and he says that he can remove whatever is on there and they'll be fine, but that's another issue.

So... for the folks who care about these things...
How are you configuring whatever it is you have that's facing the internet at client sites? Have you had security issues from hackers?

 

[mubs]

For the few businesses I've consulted for, Sonicwall. First time was mid-nineties. For home use, consumer grade routers with NAT and some kind of firewall.

That guy is off his rocker. What I'd do in this situation is:

1) Stick a Sonicwall on the Internet connection first

2) Rebuild the servers

 

[ddrueding]

For homes, a Linksys router. For businesses, a Smoothwall. Connecting production machines to the internet is stupid, you get far more control with something filtering traffic in between.

1. Install Smoothie
2. Nuke the servers
3. Scan the crap out of every machine on the network; who knows where else stuff was put.

 

[Howell]

You've got the right setup Merc. The firewall should be sacrificial. The loss or compromise of that externally facing piece of equipment should not endanger the internal production of the company as much as possible.

I use Watchguard. I probably install 1 of the Core firewalls (SMB) and a couple of the Edges (small business and remote office) a month. The consumer grade stuff works fine as the sacrificial lamb too.

This is an expensive lesson that tech is learning. If he is doing it on his own dime he might not be motivated to do quality work.

 

[Mercutio]

This guy, looking at his offices and staffing and frankly how he dresses, probably bills out a million bucks a year.

Guess who is being listened to?

 

[Fushigi]

For the multi-billion dollar, multi-national company I work for it goes something like this: Internet feed -- redundant Cisco firewalls -- redundant Nokia F5 front-ends -- DMZ: redundant/pooled Web servers -- redundant Checkpoint firewalls -- another DMZ: app servers/database (redundant where necessary) -- redundant Cisco routers, sometimes another firewall -- WAN.

Now, we're not a huge company; just 100MByte Internet pipes in one data center, 45 in another, 10 in a third, and I don't know the others.

We're considering Juniper firewalls for lower-volume areas to replace the Checkpoints as Checkpoint is expensive. The F5 is configured for load balancing & fail over support for the back-end web servers. It can also do a lot more stuff like URL re-writing, terminating SSL there instead of on the web servers, and even a little bit of content inspection.

We do weekly external penetration tests, daily internal scans, & periodic "white hack" reviews.

Now, in a small business environment I'd start with what I listed above and scale down. Eliminate the redundancies, for instance. Maybe, just maybe eliminate the second DMZ and combine that onto the WAN. Even eliminate the F5s or replace them with cheaper MS ISA servers.

BTW, MS says you should reformat if you get hacked. They also say to put in an ISA server and/or firewall.

 

[Chewy509]

Merc, I agree with DD and Mubs,

1. Sincwall/Smothie, etc. DMZ Internet facing boxes... The rest behind the firewall, and limit Internet access via a proxy server. (No direct access for any box other than the proxy servers which have active Antivirus scanning all inbound/outbound traffic, whether that be port 25, 110, 80, etc)

2. An 0nwed server can never be trusted, Nuking the box and rebulding is the only way to ensure that nothing is left behind and that it can be trusted again, or to quote Ripley (from Aliens). "I say we take off and nuke the entire site from orbit. It's the only way to be sure. "

PS. Isn't point 2, like number 4 point in IT Security 101?

 

[time]

I'm definitely not a security expert, but do the postives of proxies significantly outweigh the negatives? Proxies are a PITA with web services, etc, and you can achieve port filtering through a firewall. I thought their justification was mainly as a gatekeeper for web content?

Merc, that's quite an extraordinary amount of hacking. I'm particularly stumped by the attack on the other servers that aren't connected to the internet. Unless all the servers have the same password, how could you achieve this from the outside?

To put it another way, wouldn't it be considerably easier for the seed of a hack to be planted internally on the internal machines? Just wondering out loud.

 

[ddrueding]

Unless all the servers have the same password, how could you achieve this from the outside?

In active directory, there is a single "Domain Admin" password. You can change the username (as described in MS' "Best Practices"), but once you have that, you have control over every server and workstation in the network. Combine that with the "hidden/system shares" (c$, d$, etc), and you have access to every file and every hard drive on the network.

Once any part of an MS domain is compromised, you are 0wned. That is why I put a non-MS device in front, that doesn't have any usernames or passwords in common with the rest of the network.

 

[Mercutio]

Yup, the servers were all part of the same domain. I also found out that they used pretty much the most obvious password known to man (the same as their registered domain name) and none of their internal machines even had the built in Windows Firewall running.

Yes, knowing that, they pretty much deserved the raping they got, but it really amazes me that the guy who set all that up is 1. Still allowed to have a business and 2. that the company is still entirely willing to work with him.

 

[ddrueding]

It would not be difficult to put together a simple document detailing their negligence. Depending on the damages, might be worth a malpractice lawsuit of some kind?

 

[Fushigi]

That is another point. Anything 'net-facing or in the DMZ is not allowed to be in the corporate Active Directory. The DMZ has it's own AD.