Recommendation for HW or SW firewall


  1. Posts : 15
    win 10
       #1

    Recommendation for HW or SW firewall


    Hello experts,

    I'd like to get a recommendation or an advice regarding the use of HW or SW firewall solution.

    I have set up a web server on one of the computers on the local network. For example, IP address of this computer is 192.168.1.10.
    On this LAN there are about 20 computers and all of them can have access to this particular web server computer (WSC) in a sense that each user can open web browser and type 192.168.1.10:8000 to open a web content with some information.
    This WSC has two NICs and is connected to two different networks. It fetches data from one network and present it ot the other network (LAN) via web form. The only way computers on LAN 192.168.1.xxx can see the data should be to open a web page via http request.

    Now I need a firewall to restrict any kind of access to this WSC computer except through http protocol. So I need that only 192.168.1.10:8000 can pass through, all other means of access should be blocked.
    It would be ideal for me to buy some kind of simple HW device firewall and to put it between WSC computer and the rest of the LAN network. This device would let through only http request to this computer.

    Of course if there are software solution, that can work also.
    OS on all computers is Windows version is 10, 64 bit.


    Thank you.
      My Computer


  2. Posts : 1,244
    Windows 10 Pro x64 21H2 (Build: 19044.1415)
       #2

    you should not blame your server computer for letting other LAN members use it directly, it's your router that told them to go that route.

    Any HW firewall will do but your server will no longer be on same segment.

    Otherwise if you just want to block LAN to your server define new rule in Windows firewall with the following properties:
    Code:
    remote address = Local subnet
    local port = 8000
    direction = inbound
    Block = true
      My Computer


  3. Posts : 15
    win 10
    Thread Starter
       #3

    Thank you zebal.

    Well, I want all users on LAN 192.168.1.xxx to be able to open a web page and see the contents that is provided by web server on 192.168.1.10. I don't want this server computer (192.168.1.10) to allow any remote connection or to allow any other type of the connection except of course http request.
    I was thinking to install ZoneAlarm or some similar software on this computer or maybe to use a hardware firewall device.

    What I want to prevent is the possibility that users from LAN 192.168.1.x can connect to the server PC and from that to access other local network (from which data is received).
      My Computer


  4. Posts : 1,244
    Windows 10 Pro x64 21H2 (Build: 19044.1415)
       #4

    You don't need to install or by anything, simply block port 8000.

    default HTTP port is 80 and you have 2 NIC's

    Code:
    New-NetFirewallRule -PolicyStore PersistentStore -Direction Inbound -LocalPort 8000 -RemoteAddress LocalSubnet -Action Block -InterfaceAlias "Enter ifAlias here"
    If you want to allow port 8000 only but block everything else, then set default inbound to block and modify above code to
    Code:
    -Action Allow
    I want to prevent is the possibility that users from LAN 192.168.1.x can connect to the server PC and from that to access other local network
    You gave no details how do they proxy trough your server to internal network, you have to deal with that rather than blocking traffic with firewall if you want you network to be secure.

    why does your server allow remote access? you allow remoting and now want to block it, well then simply disable remoting and you're done.

    If you want to allow specific people such as network administrators to do remoting define IPSec rule for them and deny rest.
      My Computer


  5. Posts : 1,614
    Windows 10 Home
       #5

    zebal, would this situation call for creating or setting global and/or local group policies in the long run?
      My Computer


  6. Posts : 1,244
    Windows 10 Pro x64 21H2 (Build: 19044.1415)
       #6

    RolandJS, it may be good idea for domain, but otherwise some info about setup is missing.

    why? you think firewall is the only way around this?
      My Computer


  7. Posts : 15
    win 10
    Thread Starter
       #7

    Hello,

    maybe I wasn't clear enough, so I'll try to explain it better. I have one so called industrial network (consisting of various data loggers) and a server that make acquisition of this data and store it in a database. This server has some tools for administration, configuration of data loggers etc.

    After some time there was a request to present this data in real time to LAN (business users), so connection needs to be made to this server. This server already had another NIC interface, so it wasn't a problem. In order to present the data to users in the most convenient way, web server is set up on this server and IP was assigned. The idea is that any user from business LAN, if need to see the data, just type http://192.168.1.10:8000 in his/her browser and the web page with data would show up. And it works perfectly. Why port 8000? I don't know, but it was designed that way. Now, we just want to improve security and to prevent any user from business LAN to accidentally or in any other way access data loggers on 10.x.x.x
    So I want that just http request to 192.168.1.10 on port 8000 works, all other should be blocked to any user on 192.168.x network. Of course all network settings on the other network 10.x should be left unchanged.

    I add an attachment to visualize this.
    Thank you for your time.
    Attached Thumbnails Attached Thumbnails Recommendation for HW or SW firewall-networks.png  
      My Computer


  8. Posts : 1,244
    Windows 10 Pro x64 21H2 (Build: 19044.1415)
       #8

    Nice explanation and you said all computers are running Windows, I assume that also includes server machine?

    And I assume only 192.168.1.10 network (and the server machine) have access to internet...
    That means there is some gateway device to internet and all computers on 192.168.1.10 including your server box (with only one NIC) are connected to that gateway?

    That means you already have HW firewall which is likely your gateway device and it's purpose is blocking outside world.
    Also, if so, this is easy solvable by defining firewall on you server, block everything, allowing only port 8000 to anyone.

    Problem is remote access, you can allow remoting to server by defining separate firewall rule for that, but, anyone who remotes into server can bypass your firewall regardless if it's HW or SW.

    Firewall will make you safe as long as those who remote into server are those you trust, because remoting most likely requires logon to privileged account on server machine.

    Another less clear point is your web server, I understand that port 8000 is used to access data from "industrial network" which is hosted by server machine on demand, but what about outside world (on the internet)?
    What port do you open for them to access your web service? and, is information from "industrial network" supposed to be available to outside world as well?

    If not, then you need yet another firewall rule separate from others, that means a minimum of 3 inbound rules:
    1. LAN to port 8000
    2. Internet to WWW service
    3. LAN to remoting service

    Your firewall rules must be specific to NIC and must specify both local and remote address at a minimum.
    Your server box if it is Windows server, has Windows firewall already there and you can configure it in GPO.

    I assume you know how to configure Windows firewall on server?
    Having additional hardware firewall between gateway and LAN toward your server computer can add additional layer to safety but is not really needed.
      My Computer


  9. Posts : 1,614
    Windows 10 Home
       #9

    zebal said:
    RolandJS, it may be good idea for domain, but otherwise some info about setup is missing.
    why? you think firewall is the only way around this?
    I was just making a guess, I thought I heard bits and pieces of something elsewhere.
      My Computer


  10. Posts : 15
    win 10
    Thread Starter
       #10

    Hello and thank you for the reply zebal,

    Information that is stored on the server shouldn't be accessible on the internet.
    Yes, all of the business LAN users (on LAN> 192.168.1.xxx) have Internet access, but the information aquired from industrail data loggers should be available only to thos on the same LAN (192.168.1.xxx)

    Until recently the server had no connection to business LAN and there is only one person who maintains it and configure communication to data loggers if need. This server stores data from the data loggers in its own database. That same admin person prepared the data to business users on demand, but this demand over time became so big, that it is decided that data should be accessible automatically in appropriately defined form.The obivous solution was to make web server and store it on this server and to enable second NIC, assign IP to business LAN and to send isntruction to business users on company's LAN that all data is availabe via http request.
    Now, we don't want any remote access from any of the business users and especially not from the Internet. The server 192.168.1.10 dosn't have Internet connection even though other users on this LAN have.

    My idea was to obtain an additional firewall (either HW or SW) and to define that connection to 192.168.1.10 can only be made via http request. All other connections should be disabled, especially remote connection. Since server has connections to two networks, we want to impose rules only on 192.168.1.xxx LAN and not to touch anything to other "industrial" network.

    I have not defined windows firewall rules before, but I'll investigate how to do that. The mostimportant part is that it needs to be defined to specific NIC only.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 19:19.
Find Us




Windows 10 Forums