Security Basics mailing list archives
RE: win2k firewall
From: "Mark S. Searle" <Mark.Searle () lon ipalliance net>
Date: Tue, 7 Jan 2003 17:14:10 -0000
I would purchase an inexpensive firewall, say a PIX 506 or something from eBay and take the need for a software based firewall away from the web server. This would impact performance anyway and slow things down if you have a high hit volume. I would address the server privately and carry out NAT on the PIX to a public global address. In addition I would only open ports 80 (http) and 443 (https) and make sure that there are not static entries in the PIX for the internal network. This will prevent the web server from being used as a hop point into the Internet. The web server should be placed in a DMZ with a lower security rating than the LAN. Hopefully this will maintain good server performance and represent a reasonably cost effective solution. Cheers, Mark Searle Executive Consultant Manager - Network Engineering Atos KPMG Consulting - UK -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: 07 January 2003 14:46 To: Rick Darsey; security-basics () securityfocus com Subject: RE: win2k firewall Rick,
I would have to disagree with HC's comments on this. First, there should always be some sort of protection between your LAN and the Internet.
I fully agree with this. However, that's not how I interpretted the OP's statements. To me, it sounds as if he wants to load a personal firewall system onto a web server...both the firewall and web server would be running on the same physical hardware. I agree that a security mechanism of some type is necessary between the Internet and a LAN.
Second, if you start shutting down services on the W2K machine, then you are restricting access from within the LAN, making Administration and updating the system much harder, as it cannot be dont remotely. If you follow this path, and turn off all the services you can think of, and miss one, then you are open to an attack.
Again, I answered the question from an entirely different perspective. The OP made no mention of a LAN, only: "anyone can recommend software firewall for win2k adv. server ? it is planed to be used as web server" No mention of a LAN. However, I think my point still stands...if you're running a web server, just a web server, and you want to protect it, 'tis better to shut off servers than to leave them running and install a firewall. W/ no services running, there is nothing to attack. W/ regards to missing one, tools like netstat and fport will show you very quickly whether you have something bound to a port or not.
With a physical firewall, you specify what to allow, not what to disallow, making it much harder to miss something critical.
Actually, I'm not sure that would be all that much more effective than my suggestion. After all, if you're going to miss the fact that you've got a running service, how would you expect that same person to have the knowledge to explicitly permit or deny other services.
Most, if not all, firewalls have an explicit deny all statement that covers you in the event that you forget something in you access lists.
Yes, they do...but this will also effectively disable necessary/needed services when not employed correctly. Further, all of this stuff about firewalls is completely ineffective when port 80 is allowed through, and the web server isn't correctly configured. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Email Disclaimer The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter.
Current thread:
- RE: win2k firewall, (continued)
- RE: win2k firewall Daniel R. Miessler (Jan 08)
- RE: win2k firewall H C (Jan 08)
- RE: win2k firewall Daniel R. Miessler (Jan 08)
- RE: win2k firewall Jimmy Sansi (Jan 09)
- RE: win2k firewall Jason Dixon (Jan 11)
- RE: win2k firewall David Gillett (Jan 13)
- RE: win2k firewall Richard H. Cotterell (Jan 21)