ports to open/close for firewall

El Nacho

Noobie Cheese
Joined
Jan 22, 2002
Messages
2,258
For a machine running office apps, no internet access, remote storage, and connecting to a sql database. What ports should i close/open on a fire wall?
 
Joined
Aug 10, 2001
Messages
2,312
i sort of need more info. are you running the firewall on the local machine or between your machine and the internet? if it's on the perimeter, then is the sql database you're connecting to out on the internet somewhere? is there a remote storage device out on the internet somewhere? seems like probably not. what exactly is going out to the internet if "no internet access" is needed?
 

El Nacho

Noobie Cheese
Joined
Jan 22, 2002
Messages
2,258
These are laptops. At first, they had their own network, and would use citrix to get their files two and from our file servers. We'll...between them bitching about how hard it is, and getting them to bring them in for a check up, we want to put them back on the regular network.

For the filewall, we locked down access when they were out of the office and we were going to leave it wide open when they were in the office. But we changed our mides after the last round of check ups because of all the viruses we found. We are hoping that if one plugs into our network with a virus, the blocked ports will slow it down. (yes we do have av on every computer.)

The reason for no internet access is, we can force them to use their thin terminals if we only allow internet on them and not the fat clients. Nothing will be going out to the internet from these computers (at least not directly). I guess basically what it comes down to is, what ports do you need to leave open so that windows will function on a network.

Thanks for you help and let me know if you need anymore info
 

Party2go9820

2[H]4U
Joined
Aug 11, 2000
Messages
3,695
El Nacho said:
<<snip>>
I guess basically what it comes down to is, what ports do you need to leave open so that windows will function on a network.

Thanks for you help and let me know if you need anymore info

All the same ones the viruses use to spread. :p

I'd work this from a different angle cuz using firewalls to stop viruses is like using a hammer to drive a screw. It will work, but not very well.

Get some AV software on those laptops pronto and force def updates frequently.
 

El Nacho

Noobie Cheese
Joined
Jan 22, 2002
Messages
2,258
All the laptops have av. But if a guy is out of the office for a month, then he would be pretty far behind (all clients are managed). I know the firewall wont stop them, I just want to slow them down enough to get it taken care of before it tries to spread.
 
Joined
Aug 10, 2001
Messages
2,312
i have laptops here and do not manage them through my AV client-server structure solely due to the reason you are discussing here. they should never have out of date defs. set them up to check for updates on their own at least once or twice a day. set up the retries appropriately and educate your users about the liveupdate process. whenever they are on the net they should get updates if available that way with little to no effort on their part.

Party2go9820 is right. while there are ways to mitigate a virus attack using a firewall, that is not what it was designed for. and it will have absolutely no effect on keeping the laptops clean.
 

El Nacho

Noobie Cheese
Joined
Jan 22, 2002
Messages
2,258
thats a good piont. The laptops are going to get norton firewall put on them anyways just so that they have every protection possible while on the road. I'll have to pick and choose who gets managed and who doesnt. Some guys are in the office most of the time, some arent, and some are 50/50. I also cant count on them to do anything.....though I might set up a batch file to switch them form managed to unmanaged depending on where they are at. I've done this in the past to have them change their host files and it works pretty good (as far as them using it).
 
Joined
Aug 10, 2001
Messages
2,312
that's interesting- the batch file idea. if you don't want to count on them to do anything then i usually set norton to run liveupdate automatically every day . . at least once. you can ask them when they are usually online the most so you can be sure you schedule it for their online time. even having liveupdate run every 30 minutes isn't excessive as long as it solves the problem you're having. if you arrange it well they should get updates pretty much every time they go back online.
 

El Nacho

Noobie Cheese
Joined
Jan 22, 2002
Messages
2,258
I havent watched a schedualed (sp??) update in a while. Does it let the user know if its doing anything?

EDIT: The batch file thing is great. With out it, they cant nfuse (use citirx) from out side the office. So we toss all kinds of things in there that we need them to turn on outside the office. The biggest thing is to make sure they have to use it, or think they have to... :p
 
Top