RE: win2k firewall

["Mark S. Searle" <Mark.Searle () lon ipalliance net>]

In all honesty if you are planning to use the box as a web server then it is best not to put a software firewall on it 
at all. Any firewall software will seriously impact on server performance if the hit level is high. Rather it would be 
a better idea, and in-line with common sense, to move the security layer away from the web server and just let the 
server fulfill its own function. Its always best to use a dedicated firewall in my opinion. A Cisco PIX firewall or 
Nokia firewall may do the job nicely. Cisco firewalls can be picked up fairly inexpensively on eBay. It would be best 
to move the web server to a DMZ on your firewall and only allow access to port 80 and 443 (if using SSL) on your 
server. As a further precaution you can privately number your web server and use NAT through the firewall to a global 
public address. You can also prevent people from using your server as a "hop point" if they manage to break through 
your firewall ACLs on a Cisco PIX by restricting your static entries which prevents the web server from initiating 
connections out to the Internet. 

Hope this gives you some ideas. 

Many Regards,

Mark Searle. 

-----Original Message-----
From: Dejan [mailto:sneaker () freemail org mk]
Sent: 05 January 2003 20:02
To: Security-Basics
Subject: win2k firewall


anyone can recommend software firewall for win2k adv. server ? it is planed
to be used as web server.



        Email Disclaimer

The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee.  Access to this email by anyone else 
is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution 
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful.  When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in 
the governing KPMG client engagement letter.