Security Basics mailing list archives

RE: win2k firewall

From: "Rick Darsey" <rdarsey () aims1 com>
Date: Tue, 7 Jan 2003 07:55:58 -0600

I would have to disagree with HC's comments on this.

First, there should always be some sort of protection between your LAN and
the Internet.  A physical firewall that will do NAT is the best.  This will
allow the traffic you want to reach the appropriate machine, but block
anything else. It also allows you to use several different systems for
different functions, ie FTP, SMTP, POP, HTTP, adding another level of
security.

Second, if you start shutting down services on the W2K machine, then you are
restricting access from within the LAN, making Administration and updating
the system much harder, as it cannot be dont remotely.  If you follow this
path, and turn off all the services you can think of, and miss one, then you
are open to an attack. With a physical firewall, you specify what to allow,
not what to disallow, making it much harder to miss something critical.
Most, if not all, firewalls have an explicit deny all statement that covers
you in the event that you forget something in you access lists.

Rick

-----Original Message-----
From: H C [mailto:keydet89 () yahoo com]
Sent: Monday, January 06, 2003 2:27 PM
To: security-basics () securityfocus com
Subject: re: win2k firewall

anyone can recommend software firewall for win2k

adv.

server ? it is planed to be used as web server


Web servers, even those on Win2K, shouldn't need or
have a firewall.  This is true for several reasons...

1.  What is the purpose of running a web server on a
firewall?  Does that make sense?  No, of course not.

2.  If you're concerned about restricting ports, why
not simply disable or remove all unnecessary services?
 You're going to configure the firewall to allow port
80 (and maybe 443) anyway, right?  So why not simply
save yourself some hard drive space, memory, as well
as admin and management headaches by simply turning
off everything else?  There's no reason you need to
have the Server service running, for example, on a web
server.  In fact, you don't even need NetBIOS/NetBEUI
installed.

So...if you turn off all the services that you don't
need, and you only have ports 80 (and 443, maybe)
open, then what would be the point of the firewall?


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Current thread:

RE: win2k firewall Piacquadio, Juan (Jan 06)
- <Possible follow-ups>
- re: win2k firewall H C (Jan 06)
  - RE: win2k firewall Rick Darsey (Jan 07)
    - RE: win2k firewall H C (Jan 07)
  - RE: win2k firewall Daniel R. Miessler (Jan 07)
    - RE: win2k firewall josh (Jan 08)
    - RE: win2k firewall Daniel R. Miessler (Jan 08)
    - RE: win2k firewall H C (Jan 08)
    - RE: win2k firewall Daniel R. Miessler (Jan 08)
    - RE: win2k firewall H C (Jan 08)
    - RE: win2k firewall Daniel R. Miessler (Jan 08)
    - RE: win2k firewall Jimmy Sansi (Jan 09)
    - RE: win2k firewall Jason Dixon (Jan 11)

(Thread continues...)