block NetBIOS and RPC traffic through router?

[kelli]

I have a win2000 server that serves as our main dns machine and another winNT 4 web server. They have recently received a couple of ads via the windows Messenger service. I checked the Microsoft Knowledge Base Articles and found Q330904 which said the resolution was to install a firewall to block NetBIOS and RPC traffic. Since these machines are not behind a firewall, I was wondering if I could block this traffic through the router. Our gateway is a Cisco 3620.

If it is possible, can someone direct me to detailed how-to's? I am very new to this.

Thank you for any ideas on this one.
Kelli

 

[wybnormal]

First of all, I can not think of any good reason that a pair of servers should not be behind a firewall of some kind.

On the router side, a access list block port 139 ( I think) will stop them..

or


You can try this:

control pannel>
administrative tools>
services>

Then scroll to 'Messenger' right click it and go to properties. There there is a drop down box that says how it is started. Auto, Manual, Disabled.

This vary slightly depending on if it's Windows NT 4 or 2K server.

MikeS

Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[netmediasystems]

Mike -

I notice that you get involved with a lot of topics. What is your background? You seem to be extremely intelligent about in-depth networking on Microsoft and Cisco platforms....if others are you strength, I just have looked at those forums. I mean you have A LOT of hands on. I have been consulting for about 2 years, focusing on Cisco products, so I get a pretty fair amount. Do you work for an ISP or something?

brian

 

[kelli]

MikeS-

Thank you for your reply. So an access list port block on all ports that Messenger uses is needed on the router side? Microsoft mentions 135,137 and 139. I bet I can find a thread on this forum telling me how to set this up.

You've brought up a good point by saying you don't know why the 2 servers are not behind a firewall. We have a 10. network and honestly I don't know how to put up a firewall in front of web and dns servers that need to send and receive all of the time. Once again, I'm just learning, so any advice means a lot to me.

Thanks Mike.

 

[wybnormal]

Kelli-

there are many different types of firewalls, some good and some not so good. Alot depends on what your budget if any is for something like this. But, with that said, you can do something like buy (or borrow) an older PII 300-400 and throw BSD or Redhat on it for the OS and then use one of several firewall packages or the cheap way which is IP Chains.

Another option is to get a PIX 501 or 506 depending on user count need and traffic. Get them used off ebay and save a few bucks. An old webramp firewall which is really a Sonicwall with a 25 user license can be had for under 60 bucks.

internet---firewall--------router-----LAN
|---------DMZ where the DNS and webservers live

Forgive the ASCII art.. it's tough to draw here

So you can see there alots of options for a firewall of some type. ranging from almost free to several hundred dollars.

You want to set up an extended access list which will let you specify which ports to block on a IP or range of IP address.

I'm sure there are more then a few threads of how to set it up, I just posted something a few weeks ago that went into quite a bit of detail.. darned if I can find it now.

I can suggest a decent book on access lists called Cisco Access Lists by O'Rilley

http://www.amazon.com/exec/obidos/ASIN/1565923855/ref=nosim/packetattack-20/102-7635425-2292944

A second choice (I have both) is a field guide to access lists

http://www.amazon.com/exec/obidos/ASIN/0072123354/ref=nosim/packetattack-20/102-7635425-2292944

You could not really go wrong with either one.


MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[wybnormal]

Brian-

I'v been involved with networks of one sort or another for over 20 years. My first real network was Netware ELS 2.15 running on ThinNet and an IBM PS2 (ugh) I was styling with my 386SX LOL!!! . At the time I also supported several networks running ThickNet, MicroVAXs and a pile of other ancient stuff

Right now I consult.. or at least I do when the economy hasnt tanked so badly. I hold a few different certifications, I spend alot of time working with SNiffer and Etherpeek, been trained on Cybercrime techniques and trapping methods, play with things like SNORT for IDS and any other *toy* that comes my way. Right now I've been doing alot with wireless security and a tool called Airmagnet which is rocking toy to have for site surveys. I've been published a couple of times both as an author or tech consultant for the actual author.

When I'm not glued to the screen of a PC, I restore antique radios and play the photographer. I find it helps alot to have varied interests as many times, something from a hobby can overlap into work either as a help or a conversation starter with a client.

If you want to know more, drop by the website and take a lot around. Pay attention to the tutorials .. several are my own creations.

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu