This discussion began HERE
It's been co-opted to a discussion on Windows and comcast business services.
The issue is whether one requires an additional router between the Comcast Gateway and a windows server.
Windows Servers behind Comcast SMC Gateway
Exactly what?YeOldeStonecat wrote:Exactly..you're almost getting my point.
Sounds like you agree but with what?
Nonsense. Talk to someone at Sourceforge.net or Dreamhost.However, you'll find most IT guys that setup and support networks for businesses will not want a Windows server exposed on a public IP address.
A server can't serve pages to the public internet without being exposed.If you like running your Windows Server multi-homed doing RRAS..fine, but most of us in the community do not. Even if it were running ISA...too much maint and constant monitoring and patching. We prefer to keep our clients network fully protected behind NAT..and then some.
Are you insinuating that a windows server is somehow less able to cope with hackers?
Absolutely NOT. Bill Gates and everything he has ever done, except co-opt the original DOS work from others for publishing in 1978, is dishonest. Bill Gates is Satan's spawn in the form of a Devil! There is little evidence that he even wrote the original DOS. But that's entirely secondary. I despise Microsoft for it's dishonesty and anti-social business practices, not the software itself or the people who write software for them. Microsoft corporation has been sued for antitrust in nearly every jurisdiction on planet earth. The EU even threatened to block them from selling products in Europe. What does that say about their corporate business ethic?Do you do any work in consulting/supporting SMB networks?
What happened to the original Netscape browser?
Why did OS/2 disappear so suddenly in the 80's?
Why is there a greater-than-cottage industry making $$ selling products to plug the security leaks in MS Windows?
Why do so many web sites/pages look like S*** or simply not work in IE7/8?
It's that easy to destroy a Windows Domain Controller?If you do, and you prefer the method of having your clients Windows servers and workstations on public IP addresses...wow, I hope your clients don't have much for information and can afford downtime while formatting machines on a regular basis.
One wrong bit and it's "off to the races" for Bill and the gang, ey?
Duplicate firewalls serve no purpose but to complicate a network.
This is not to say your LAN clients shouldn't run a firewall. There are always unscrupulous doers on any network, be it public or private. Unfortunately.
Has it occurred to you that Microsoft perpetuates the security holes in their products so they can maintain an entirely secondary industry as a vehicle [for profit]. There ain't much profit in spyware/antivirus programs for linux or even OS/X. It's kind of like some DNS servers now redirecting unknown urls' to advertising pages. (Think Comcastic!).
I argue against using superfluous equipment in any network. Especially if it offers no additional protection. A standard Linux box IS a firewall and a router, just like your Domain Controller. So I have no need to run a second firewall. It's like the desktop user who installs Kaspersky, Norton and McAffee all on the same windows machine thinking it will provide more protection from viruses. Fear driven nonsense perpetuated by Microsoft and that previously mentioned not-so-cottage industry. I even turn off the firewall in my Vista desktop. I run external port scans on a regular basis just to be sure and I do run a few services on the desktop to warn me if some sites is trying to install something. To date I've never had a breach because of my firewall. I've had my server hacked because of security holes in specific software I installed. I've had IE7 infect my Vista desktop because it's braindead, but never a firewall breach. You're welcome to run a port scan on my IP it's trbailey.net. You'd be chatting with Linux iptables kernel based firewall and nothing else. And, I can close, open or change the forwarded ports in less than 30 seconds, including the time it takes to load Firefox and Webmin. How many buttons do you have to push and menus do you have to navigate on that DC just to change a port assignment. Then how many routers to you have to fiddle with to open or, heaven forbid close a wayward port? And when it still won't work, then what? Call Microsoft?You argue against using your own router behind the SMC...yet you quote "This is the mode I chose. I also disabled the firewall and router in the gateway since I already have my linux server set up as an effective firewall router."
If Server 200x is so fragile it can't deal with having it's own public IP, it has no business playing with the big boys.
But, I'm only using a single public IP address.
That said; If it's a unique non public IP you want for your DC I can see why you might reach for an external router. But there are better options than installing a router just to get a NAT address for your Domain Controller. You could install two interfaces in the DC, then assign one interface the public IP (for port control and packet logging / sniffing) and use the DC to NAT the second interface to serve clients. It would be much easier to configure the whole mess. Especially if you add or remove services on a regular basis. It would also reduce network latency between clients and the internet. Unless you don't trust Microsoft's firewall, in which case why run their products at all?
I still say a separate standalone router is unnecessary. Here are just a few reasons:
- It's adds more wiring, increasing the possibility you'll weaken your signal or over run cable length unnoticed.
- It adds more un-soldered connections in the network as a whole creating more places for a signal to get lost.
- It provides no additional protection from hackers or stray public bits
- It increases overall network latency with no real benefit.
- It adds to the overall cost of installing, maintaining and debugging the network.
Is it that you don't trust Comcast?
Or is it Microsoft that's the necessary, or in my case unnecessary evil?
-Tom
Meddle not in the affairs of the dragon; for you are crunchy and taste good with ketchup.
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
Go manage some Windows servers on public IP addresses without robust firewalls for a few years and get back to us.
A lot of balony points there....."I don't trust Comcast?" Who the heck ever said anything about trust in Comcast...out of all the ISPs that I work with (and that's quite a few)...they're one of my favorites. A firewall and integrity of a network have absolutely nothing to do with Comcast or whatever ISP the network is on.
If you want to run your Windows servers unprotected..go for it..have a field day...put your credit card/bank info/online credentails on there. But in the mainstream IT world in dealing with business/enterprise networks..you won't find many consultants (who choose to remain in their fields for long) adopting that strategy.
These arguements against a firewall...oh boy...lemme giggle a bit.
*More wiring and weaken the signal? Hardly when done professionally. That whopping extra two 1 foot patch cables doesn't really add much attenuation in a measurable degree.
*More unsoldered connections..well, I don't solder my networks, I use good quality components.
*No additional protection from hackers? Uhm...so you're saying a PC behind a NAT box is no further protected than a PC sitting directly on a public IP address? This needs no reply
*Increased latency and no real benefit? Not when using business grade routers/firewalls (again, no little 60 dollar Stinksys or DStink or Nutgear routers). No benefit? Uhm...hiding your network behind NAT is primary benefit...all 65,000 plus ports are not available.
*Adding overall cost? Well, when you're talking about business networks...(we're staring in 5 digit price ranges here)..another several hundred bucks is nothing when you're talking about securing and protecting data such as healthcare (HIPAA), accounting/financial, employee data, LOB data, etc.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
I don't run windows servers so my experience is a bit limited.
Not because I don't trust their firewalls but because their software is excessively costly, performs poorly, and it offers no services I need or want. I find it ironic you defend the windows platform yet don't trust it enough to allow it it's own public IP. But then I have little experience running a windows server be it IIS, domain controllers Office Suites or even Apache (WAMP). I'm more into the web site thing and when it comes to web sites, windows has no usable solution at a reasonable price. IMHO, a windows web server is for someone who prefers buttons on a menu to a simple edit of a configuration file in the mistaken idea it is somehow faster or easier. Overall experience has taught me it's not. I prefer being able to find out why a particular issue occurs, not being deliberately kept in the dark because of some proprietary licensing agreement between Bill and his band of merry men and ATI, or IBM (well not any more), or even MSN (no MS there, is there...[nope]).
"At the setting of the fifth day in the year of ambrosia, on a moonless night, under a willow tree, in the dead of winter I'll meet with thee. Well toast of the town and drink from our lips while the setting sun falls over the cliffs, of desire... and my cup runneth over not."
Sorry, I see no ":cloak-n-dagger:"
Does this ring a bell?
I had a 2003 installation back some years ago, my first web server. SMTP, IIS, and a few other things I don't recall at the moment. I even fiddled with a domain controller, but had no use for it and found it overly restricting in terms of usefulness and troublesome when it didn't do what it claimed it would. And I despise having to reload the entire OS every time I make a change or twice a day just to be sure it's still alive
. I've had my Debian box running for month's at a time and it would still be running if I hadn't decided to fiddle with compiling a new kernel, which does require a restart on any platform.
I eventually reformatted in favor of the seemingly unbounded complexity of the terrifying-to-me-at-the-time Debian Linux. I dropped windows because it took nearly 3 seconds for it to serve a moderately complex PHP web page. Apache under Linux serves that same page in .1 seconds on the same hardware, consistently. Windows does not. It hogs my disk, swaps constantly and sporadically and in general, performs poorly. While there have been some leaps in how IIS uses external modules like PHP, Perl, rewrite or other CGI scripts, it still does not comply with web standards like the all-important Apache mod_rewrite module. So we're actually talking apples to oranges.
However, if I were setting up a small business, say a typesetting business, I'd have a hard time offering all the services one can get with a domain controller / MS Office Suite using "something else". But if I did run a windows server I would place it squarely in the public address space like any other server. An effectively managed firewall, even a Windows firewall, will only allow packets to pass that are destined for an allowed IP/Port. If you're having trouble with reliability, perhaps it's not windows that's the problem? There are thousands of Windows shops around the country that don't hide their servers behind NAT, "just to be sure". My current second web site at Dreamhost is one of them.
So, getting back to the issue of a DC behind a Comcast SMC Gateway, I think it's safe to say we disagree in both philosophy and practice.
And for the uninitiated newcomer here, the original thread for this post contains a few different ideas on how to get a "SERVER" (Sparc, Solaris, Sun, Linux, Windows, OS/X or PPC) to operate in the public IP space of the internet behind a Comcast Business Services SMC Gateway. My tenet is that no external router is necessary.
-Tom
P.S. Does your port scan look like this?
Not because I don't trust their firewalls but because their software is excessively costly, performs poorly, and it offers no services I need or want. I find it ironic you defend the windows platform yet don't trust it enough to allow it it's own public IP. But then I have little experience running a windows server be it IIS, domain controllers Office Suites or even Apache (WAMP). I'm more into the web site thing and when it comes to web sites, windows has no usable solution at a reasonable price. IMHO, a windows web server is for someone who prefers buttons on a menu to a simple edit of a configuration file in the mistaken idea it is somehow faster or easier. Overall experience has taught me it's not. I prefer being able to find out why a particular issue occurs, not being deliberately kept in the dark because of some proprietary licensing agreement between Bill and his band of merry men and ATI, or IBM (well not any more), or even MSN (no MS there, is there...[nope]).
"At the setting of the fifth day in the year of ambrosia, on a moonless night, under a willow tree, in the dead of winter I'll meet with thee. Well toast of the town and drink from our lips while the setting sun falls over the cliffs, of desire... and my cup runneth over not."
Sorry, I see no ":cloak-n-dagger:"
Does this ring a bell?
I had a 2003 installation back some years ago, my first web server. SMTP, IIS, and a few other things I don't recall at the moment. I even fiddled with a domain controller, but had no use for it and found it overly restricting in terms of usefulness and troublesome when it didn't do what it claimed it would. And I despise having to reload the entire OS every time I make a change or twice a day just to be sure it's still alive
. I've had my Debian box running for month's at a time and it would still be running if I hadn't decided to fiddle with compiling a new kernel, which does require a restart on any platform.I eventually reformatted in favor of the seemingly unbounded complexity of the terrifying-to-me-at-the-time Debian Linux. I dropped windows because it took nearly 3 seconds for it to serve a moderately complex PHP web page. Apache under Linux serves that same page in .1 seconds on the same hardware, consistently. Windows does not. It hogs my disk, swaps constantly and sporadically and in general, performs poorly. While there have been some leaps in how IIS uses external modules like PHP, Perl, rewrite or other CGI scripts, it still does not comply with web standards like the all-important Apache mod_rewrite module. So we're actually talking apples to oranges.
However, if I were setting up a small business, say a typesetting business, I'd have a hard time offering all the services one can get with a domain controller / MS Office Suite using "something else". But if I did run a windows server I would place it squarely in the public address space like any other server. An effectively managed firewall, even a Windows firewall, will only allow packets to pass that are destined for an allowed IP/Port. If you're having trouble with reliability, perhaps it's not windows that's the problem? There are thousands of Windows shops around the country that don't hide their servers behind NAT, "just to be sure". My current second web site at Dreamhost is one of them.
So, getting back to the issue of a DC behind a Comcast SMC Gateway, I think it's safe to say we disagree in both philosophy and practice.
And for the uninitiated newcomer here, the original thread for this post contains a few different ideas on how to get a "SERVER" (Sparc, Solaris, Sun, Linux, Windows, OS/X or PPC) to operate in the public IP space of the internet behind a Comcast Business Services SMC Gateway. My tenet is that no external router is necessary.
-Tom
P.S. Does your port scan look like this?
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
My port scan at home would be solid green.
Running a Windows Server solely for IIS on a public IP isn't as risky as exposing a business network on public IPs. Running it stand alone at home, or in a data center, it's not a backdoor into a private LAN filled with data. Heck I've built quite a few public gaming servers running on Windows Server since back in the NT 4 days...I put them on public IPs upstairs in the data center we work with or co-lo'd at ISPs I've partnered with. I do a heck of a lot of work in stripping down their services and securing them.
But "domain controllers on public IP addresses"...you won't find that an accepted "best practice" if you hang around a few network tech forums. You'll find it's actually quite frowned upon. The facts are, there are plenty of exploits out there against Windows, plenty of tools available to the hackers out there. Here's a hint....software firewalls that run as a service can get knocked out. Yup..that's right..there are exploits which malware or tools can use which will disable it. Not so easy with hardware firewalls. I won't put a clients network at risk, nor would the high high majority of network consultants out there. It's more of a point of "not 'if' it will get hacked into, but 'when'".
"Debian box running for months at a time?" You should set your sites higher than that...I've had Windows and *nix boxes running for years at a time. many of the routers/firewalls/UTMs I use for clients are on *nix...PFSense, IPCop, Endian, Untangle, etc. Most of it is about the quality of the hardware selected to run it on. I can waste my time taking and posting screenies of *nix boxes blowing up too, but there's no point to it.
You can be against Microsoft all you want, that's your prerogative, but the high majority of business networks out there run on it simply because of the huge variety of line of business applications out there which they need to run on. And it makes us good money.
Running a Windows Server solely for IIS on a public IP isn't as risky as exposing a business network on public IPs. Running it stand alone at home, or in a data center, it's not a backdoor into a private LAN filled with data. Heck I've built quite a few public gaming servers running on Windows Server since back in the NT 4 days...I put them on public IPs upstairs in the data center we work with or co-lo'd at ISPs I've partnered with. I do a heck of a lot of work in stripping down their services and securing them.
But "domain controllers on public IP addresses"...you won't find that an accepted "best practice" if you hang around a few network tech forums. You'll find it's actually quite frowned upon. The facts are, there are plenty of exploits out there against Windows, plenty of tools available to the hackers out there. Here's a hint....software firewalls that run as a service can get knocked out. Yup..that's right..there are exploits which malware or tools can use which will disable it. Not so easy with hardware firewalls. I won't put a clients network at risk, nor would the high high majority of network consultants out there. It's more of a point of "not 'if' it will get hacked into, but 'when'".
"Debian box running for months at a time?" You should set your sites higher than that...I've had Windows and *nix boxes running for years at a time. many of the routers/firewalls/UTMs I use for clients are on *nix...PFSense, IPCop, Endian, Untangle, etc. Most of it is about the quality of the hardware selected to run it on. I can waste my time taking and posting screenies of *nix boxes blowing up too, but there's no point to it.
You can be against Microsoft all you want, that's your prerogative, but the high majority of business networks out there run on it simply because of the huge variety of line of business applications out there which they need to run on. And it makes us good money.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
Would be, or is?YeOldeStonecat wrote:My port scan at home would be solid green.
There is no substitute for personal experience.
There is no substitute for being there.
There is no substitute for doing it yourself.
The original thread was about getting a WEB SERVER to work behind a Comcast Business Services SMC Gateway, was it not?Running a Windows Server solely for IIS on a public IP isn't as risky as exposing a business network on public IPs. Running it stand alone at home, or in a data center, it's not a backdoor into a private LAN filled with data.
If I had no "public" services (like IIS) there would be no need to even open the firewall. You don't need an open firewall (at least inbound) to NAT to the internet. In fact I'd insist it remain stitched on both sides. There are lots of employees that sit at desks all day and wish they could do this and that from work or think they are getting cheated because they don't know when to quit their job and do something else. The result could be an opportunistic "postal worker" with a "envelope" of "winthrax" aimed at your network. If "..::[ T.E.A.M. T.E.C.H.N.O.T.R.O.G.E.N.S ]::.." can figure out a way to bypass windows vista activation before it even hits SP1, I'd be worried too. How many of them technotrogens work around, or even for a windows shop?
But since I was under the impression you were running web services and you didn't state otherwise...
Ah the days of Doom, Hexen and Heretic over 14.4K modems. What fun that was to teethe upon.Heck I've built quite a few public gaming servers running on Windows Server since back in the NT 4 days...I put them on public IPs upstairs in the data center we work with or co-lo'd at ISPs I've partnered with. I do a heck of a lot of work in stripping down their services and securing them.
As for these un-described business network's you're referencing. Are we talking databases full of personal records like HR, Payroll, AP, AR, Inventory, Banking, Doctor patient records, PsyD and his friendly cohorts etc?
I'd run LDAP and SQL on a *nix box and hide the databases off site in a separate building or a "bat cave" on a private transport / public IP network inaccessible to the internet unless it were absolutely necessary. Then access to it from the internet would cause a "duplicate IP" error making it that much harder to access. *nix offers much better access logging and reliability. But for desktop applications, Windows wins hands down. If only windows clients would cooperate with industry standards. But I won't bore you with my views on that topic.
On a last high note. May I ask why you originally jumped into this thread if it didn't apply to you?
-Tom
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
"Is"..we have our own port scanner here and currently, with the firewall that I'm running this month (since I change routers/firewalls so frequently to fiddle with various ones)...it's all green. But what I run at home for exposed ports isn't important.siggma wrote:Would be, or is
The original thread was about getting a WEB SERVER to work behind a Comcast Business Services SMC Gateway, was it not?
Ah the days of Doom, Hexen and Heretic over 14.4K modems. What fun that was to teethe upon.
As for these un-described business network's you're referencing. Are we talking databases full of personal records like HR, Payroll, AP, AR, Inventory, Banking, Doctor patient records,
On a last high note. May I ask why you originally jumped into this thread if it didn't apply to you?
The original thread was about that, yes, but you change it to something along the lines of "all you need is the SMC, nothing else, no additional firewalls/routers"
FPS over dial up...yuppers...a lifetime of hours spent playing Quake 1.
Undescribed business networks running whatever LOB software they have, and whatever data they have. Be it law firms, dental offices, cardiology offices, home healthcare/hospice agencies, battered women shelters, accounting firms, manufacturing plants for jet aircraft engines, metal fabrication plants, boat marinas, golf resorts, summer camps, schools, insurance companies, foundations, research, yes all that stuff.
The thread did apply you me, you revived an old thread that I participated in starting with "After reading most of this thread it's become apparent that some of you don't comprehend what a "Router" is used for. Comcast has perpetuated some myth's in stating you can plug an additional router into the gateway. "
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
It was "no external routers between the SMC and your web server".YeOldeStonecat wrote:"Is"..we have our own port scanner here and currently, with the firewall that I'm running this month (since I change routers/firewalls so frequently to fiddle with various ones)...it's all green. But what I run at home for exposed ports isn't important.
The original thread was about that, yes, but you change it to something along the lines of "all you need is the SMC, nothing else, no additional firewalls/routers"
And I've verified it works as I said it does. I think the guy was even running a *nix box. I suggested he use the firewall on his webserver rather than add a router just to obtain a NAT address or add an additional firewall. Especially when the SMC has a firewall. I still maintain that such a setup offers no additional protection.
If there are exploits on a particular port, closing that port on the firewall will prevent any access. If there are exploits on an open port, the firewall has nothing at all to do with it. The only solution is to find and correct the service that responds incorrectly. It's not really a firewall issue so adding more won't make it any more secure.
My son and I are working on HL2. There's even a nifty *nix server for it.FPS over dial up...yuppers...a lifetime of hours spent playing Quake 1.
I used to do that sort of thing. Back in 1985 before there were reliable PC networks. HP 3000, IBM Sys 34, 40mb MFM drives at a whopping 500K per second, my first Compaq deskpro MCGA with massive 8086 registers (true 16 bit). Sweet Jesus that thing was fast...Undescribed business networks running whatever LOB software they have, and whatever data they have. Be it law firms, dental offices, cardiology offices, home healthcare/hospice agencies, battered women shelters, accounting firms, manufacturing plants for jet aircraft engines, metal fabrication plants, boat marinas, golf resorts, summer camps, schools, insurance companies, foundations, research, yes all that stuff.
And it even displayed monochrome green photos of partially naked girls and ran a hacked version of asteroids! Those were "the days of wine and roses".It was intended mostly for the guy asking the really noob questions about NAT, public IP's and forwarding ports so his server was exposed. It was of interest to me while I researched switching from DSL to Cable for my home web/smtp server. It never occurred to me to dig out the old blue router from a closet somewhere to protect my server. But that's the difference between *nix and windows philosophies I guess.The thread did apply you me, you revived an old thread that I participated in starting with "After reading most of this thread it's become apparent that some of you don't comprehend what a "Router" is used for. Comcast has perpetuated some myth's in stating you can plug an additional router into the gateway. "
Like I said before, there are many ways to set up a network.
Do you run a web swerver anywhere?
-Tom
Dastardly Afterthought(s)...
If you forwarded packets in the SMC from inbound port 80->8790 then forwarded port 8790->80 on the second router (to the DC), it might afford additional protection were the SMC hacked, failed or there were policy changes at Comcast for some reason. At the very least it would slow them down and alert you there was an issue.
One could also use IP 207.46.0.0/16 for the DC's router address block which is virtually guaranteed to fail if exposed to a public network.
FYI:
[root@moya]
~ $ host microsoft.com
microsoft.com has address 207.46.232.182
microsoft.com has address 207.46.197.32
microsoft.com mail is handled by 10 mail.messaging.microsoft.com.
If you forwarded packets in the SMC from inbound port 80->8790 then forwarded port 8790->80 on the second router (to the DC), it might afford additional protection were the SMC hacked, failed or there were policy changes at Comcast for some reason. At the very least it would slow them down and alert you there was an issue.
One could also use IP 207.46.0.0/16 for the DC's router address block which is virtually guaranteed to fail if exposed to a public network.
FYI:
[root@moya]
~ $ host microsoft.com
microsoft.com has address 207.46.232.182
microsoft.com has address 207.46.197.32
microsoft.com mail is handled by 10 mail.messaging.microsoft.com.