RE: win2k firewall

["Mark S. Searle" <Mark.Searle () lon ipalliance net>]

I would purchase an inexpensive firewall, say a PIX 506 or something from eBay and take the need for a software based 
firewall away from the web server. This would impact performance anyway and slow things down if you have a high hit 
volume. I would address the server privately and carry out NAT on the PIX to a public global address. In addition I 
would only open ports 80 (http) and 443 (https) and make sure that there are not static entries in the PIX for the 
internal network. This will prevent the web server from being used as a hop point into the Internet. The web server 
should be placed in a DMZ with a lower security rating than the LAN. Hopefully this will maintain good server 
performance and represent a reasonably cost effective solution. 

Cheers,

Mark Searle
Executive Consultant
Manager - Network Engineering
Atos KPMG Consulting - UK
 

-----Original Message-----
From: H C [mailto:keydet89 () yahoo com]
Sent: 07 January 2003 14:46
To: Rick Darsey; security-basics () securityfocus com
Subject: RE: win2k firewall


Rick,

> I would have to disagree with HC's comments on this.
>
> First, there should always be some sort of
> protection between your LAN and
> the Internet. 

I fully agree with this.  However, that's not how I
interpretted the OP's statements.  To me, it sounds as
if he wants to load a personal firewall system onto a
web server...both the firewall and web server would be
running on the same physical hardware.  

I agree that a security mechanism of some type is
necessary between the Internet and a LAN.
 
> Second, if you start shutting down services on the
> W2K machine, then you are
> restricting access from within the LAN, making
> Administration and updating
> the system much harder, as it cannot be dont
> remotely.  If you follow this
> path, and turn off all the services you can think
> of, and miss one, then you are open to an attack. 

Again, I answered the question from an entirely
different perspective.  The OP made no mention of a
LAN, only: 

"anyone can recommend software firewall for win2k adv.
server ? it is planed to be used as web server"

No mention of a LAN.  

However, I think my point still stands...if you're
running a web server, just a web server, and you want
to protect it, 'tis better to shut off servers than to
leave them running and install a firewall.   W/ no
services running, there is nothing to attack.  W/
regards to missing one, tools like netstat and fport
will show you very quickly whether you have something
bound to a port or not.

> With a physical firewall, you
> specify what to allow,
> not what to disallow, making it much harder to miss
> something critical.

Actually, I'm not sure that would be all that much
more effective than my suggestion.  After all, if
you're going to miss the fact that you've got a
running service, how would you expect that same person
to have the knowledge to explicitly permit or deny
other services.

> Most, if not all, firewalls have an explicit deny
> all statement that covers
> you in the event that you forget something in you
> access lists.

Yes, they do...but this will also effectively disable
necessary/needed services when not employed correctly.

Further, all of this stuff about firewalls is
completely ineffective when port 80 is allowed
through, and the web server isn't correctly
configured.


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


        Email Disclaimer

The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee.  Access to this email by anyone else 
is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution 
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful.  When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in 
the governing KPMG client engagement letter.