General discussion


secure internet access for win2k network

By farayi.nzenza ·
I would like to set up secure internet access for a small network that is running under windows 2000 with XP clients. Because active directory is heavily dependant upon DNS I want to make sure that the domain controller does not access the internet at all. The security products I will try and use are: 1 X 3com firewall, 1 X WIN2K box running the anti virus gateway software. The client machines will have their preffered dns server set to the domain controller which will forward all dns queries to the win2k box with the anti-virus gateway software(please note:it will be slaved to this dns server therefore it cannot try to resolve dns queries on it's own). The primary dns server for this other win2k box will be the firewall.

Therefore the first layer of security is the firewall that is doing the port blocking and stateful inspection. The second line is the other win2k box running the anti virus gateway software(this is also the admin pc that decides which users have internet access). Name resoultion should work as follows: 1.Client pc asks make a name request (e.g pdc 2. pdc forwards request to win2k box with antivirus\gateway software 3. win2k box forwards the request to firewall onto dns servers on the internet. 4. the result follows the same path back.

To the AD and security experts out there does that seem like a valid configuration? If so what potential problems do you see with this setup? Are there any improvements that you think could be made?

Thanks very much

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by Frank-MW In reply to secure internet access fo ...

I hope your firewall can do DNS.

If not, primary DNS for your W2K box, should be the ISP's DNS servers or the root hint servers.

Complicated situation you created here.

Why not take out W2K box, restrict DNS updates from to your DC to the ISP's DNS servers (and root hint servers). And load the Internet gateway you have on the DC. Done. Easier to backup, more robust, since I sense your W2K box is not a server and your DC probably is.

You will do yourself a favor by keeping it simple.

Collapse -

by farayi.nzenza In reply to

this clears things up slightly but my main concern was having a DC in that same function as well. The main reason for having the W2k box there was for virus scanning at the gateway. To simplify things I could simply move the anti-virus function to the pc's and servers and possibly get an integrated firewall\virus scanning solution. Then use the firewall to restrict dns requests?

Collapse -

by Frank-MW In reply to secure internet access fo ...

And with my remark, restrict DNS, I mean, use your firewall to restrict DNS requests.

Collapse -

by Frank-MW In reply to secure internet access fo ...

Absolutely. Nothing better than having Anti Virus on the desktops. The setup for Symantec AntiVirus is very decent. Console on the server, you can see which workstations have an issue.
If you have a decent firewall, you can restrict outgoing DNS requests to only your DC's IP and then from your DC out, only to your ISP's DNS servers and the root hint servers. Firewall must do statefull inspection, so, DNS request coming from/initiated within, will be allowed through on their way back to the server.

Collapse -

by Frank-MW In reply to

Did this work for you?

Related Discussions

Related Forums