-1

The situation: Got a Win2016 DC in a cloud network. WAN is disabled for this machine. LAN is connected to PfSense. PfSense manages the VPN and IPSec between cloud an on-premise. PfSense only allows whitelisted traffic between all machines/services DC has a list of rules so it can so its job. This works partially, still got "no internet" alert in DC and WSUS is not working as expected.

Now DC needs a connection to another online service.

Should this be whitelisted or is it allowed to allow outbound traffic from this DC via PfSense to the internet? I know that a DC directly on the internet is bad practice but does this above also apply to this rule

MKZ
  • 240
  • 3
  • 9

1 Answers1

0

In short: It depends on how security conscious you are, but a DC carries the keys to your kingdom, so you may want to play things especially safe with that kind of server.

The safest way to do things is to analyze what traffic you actually need to allow, and open up only for that in the pfSense - that would be a "default deny" approach.

Another way to go about things is to think of what outbound traffic you definitely do not want to allow, and deny that traffic specifically in the pfSense. Naturally this is worse from a security perspective since you're bound to forget about - or not even be aware of - some kinds of traffic you wouldn't want to leave your network.

A better question, perhaps, is this: Does the online service you want to open up traffic for really have to run on the DC, or would it be better to set up a separate VM for that service, and open up for the specific outbound traffic from the new machine instead? Optimally you really only want to run AD and DNS on a DC.

Mikael H
  • 4,868
  • 2
  • 8
  • 15
  • Due to financial reasons we can only afford 1 DC and had NPS, AD, DNS and WSUS stored on this device. The online service is a cloud storage solution connected using WebDAV (HTTPS) – MKZ Jan 30 '19 at 08:43
  • Personally, I would like to find those whitelisted ports for this service but it seems that opening TCP 443 to that service (FQDN) is not solving it. – MKZ Jan 30 '19 at 08:44
  • If I was in your shoes, I would write a mail to the person responsible for financing the solution and strongly recommend a) paying for at least one application server separate from the DC, and b) possibly an additional DC to reduce the risk that things go bad. You don't have to actually get the money, but you should be able to point to a written document and say "I told you so" when things go pear-shaped. – Mikael H Jan 30 '19 at 08:55
  • 1
    But as for your actual issue: As usual in these cases, the best thing is to set up a test environment that's as similar as possible to your production environment, and analyze traffic in a safe way; i.e. open up outbound traffic and use Wireshark or similar to see what actually goes over the line between an application server and the cloud service. – Mikael H Jan 30 '19 at 08:58
  • would you really do that to a non-profit company, with just 6 daily users and several hundreds of users connecting to LDAP web services? There are no resources for additional VMs. On topic: Is it more common to allow all outbounds or to allow just whitelisted traffic? The server is not connected to the internet directly. Traffic from the dc passes through the windows firewall and through PfSense – MKZ Jan 30 '19 at 16:44
  • As I said in my first post, it all depends. For an otherwise isolated server environment with a good backup strategy and good incoming firewall rules, I would definitely be less concerned than for a small business with Windows laptops connected to the same switch used by its server(s). Or to put it another way: My personal servers at home are behind a forgivingly configurated pfSense - basically ”allow all” with specific deny rules for a few things like mail except from my mail server. At work we are considerably more careful. – Mikael H Jan 30 '19 at 20:08