RE: win2k firewall

["Jimmy Sansi" <jsansi () ritzfoodservice com>]

Running a firewall on a seperate machine or the server itself is 
not a replacement for good security configurations and keeping the 
system patched and plugged.

If it is dedicated to being a webserver only, turn off non-essential 
services and stick it in a DMZ. As someone else mentioned using 
a software based firewall on the system itself could load it 
down if heavily trafficed, this may be a trade off however.

If your hosting database integrated web applications or using it 
to pull double duty by running other networking services like a DC(I 
wouldn't recomend doing so) there are more precautions to consider.

Use nmap or some other program to probe the open ports after
turning off services and uninstalling uneeded programs. I guess
this is starting to sound redundant redundant and a bit off 
from the original topic by now. :-)

-Jimmy


-----Original Message-----
From: Daniel R. Miessler [mailto:danielrm26 () hotmail com]
Sent: Wednesday, January 08, 2003 10:41 AM
To: 'H C'; security-basics () securityfocus com
Subject: RE: win2k firewall


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Perhaps you're not familiar with what Code Red does.
> First off, it doesn't attack the operating system, it
> attacks the web server.  Second, all that is required
> to protect yourself against CR is to disable the
> ida/idq script mapping.  In fact, disabling unused
> script mappings (ie, unnecessary or unused
> services/functionality) is not only common sense, but
> it's also all over every site that talks about
> information security.

Dude, my intention is not to debate with you about this or that
little issue.  Most don't run Apache on W2K - they run IIS.  He asked
what a good firewall was to put on a W2K server, and I said that he
should use a solution that will monitor ALLOWED traffic.  I can't
possibly see what is wrong with this.  He is asking what firewall he
should use on a server, I said BlackIce.  Do you know of another
FIREWALL (Snort is an IDS) that he can put on a W2K server that will
afford any protection over turning off services, i.e. one that will
look for and block dangerous payloads in allowed traffic?

The major issue, as you know, with firewalling a server is that you
have to let things in.  And since the vast majority of firewalls do
nothing for inbound traffic, it is often said that putting a software
firewall on a server is close to pointless.  This is why I mentioned
BlackIce - it is one of the few software firewalls that does offer
additional protection for machines offering services.  Granted, it
does it by using a rulebase, but it does have some heuristic
capabilities, and it is at least another layer to add to the weak
link presented by allowed services.  

In short, I can't see what your beef is.  The recommendation of a
software firewall that runs on W2K Server and offers a unique
protection feature is more than appropriate for this discussion,
especially since that was the very question asked by the original
poster.  Please show me where I have gone astray.

- -Daniel R. Miessler

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPhtQd1Jwf7WiYT5vEQLnYQCfey7VPI5+I3O2iEoRqwwkqRwuqvsAn0OB
r3xqcagLGQS3QZbnbtcAS8Fj
=YNjd
-----END PGP SIGNATURE-----