RE: win2k firewall

["Zimin, Alex" <alex () towerrecords com>]

In some cases UNIX box or Cisco firewall is not an option.
I had deal with the Satellite ISP, where only a Windows box can be connected to the Internet.

Kerio makes a firewall product which is free for personal use.
http://www.kerio.com/us/kpf_download.html

I'm not sure how good it is compare to other windows firewalls, but it's free for personal use.

Alex.

-----Original Message-----
From: Mark S. Searle [mailto:Mark.Searle () lon ipalliance net] 
Sent: Tuesday, January 07, 2003 9:14 AM
To: H C; Rick Darsey; security-basics () securityfocus com
Subject: RE: win2k firewall

I would purchase an inexpensive firewall, say a PIX 506 or something from eBay and take the need for a software based 
firewall away from the web server. This would impact performance anyway and slow things down if you have a high hit 
volume. I would address the server privately and carry out NAT on the PIX to a public global address. In addition I 
would only open ports 80 (http) and 443 (https) and make sure that there are not static entries in the PIX for the 
internal network. This will prevent the web server from being used as a hop point into the Internet. The web server 
should be placed in a DMZ with a lower security rating than the LAN. Hopefully this will maintain good server 
performance and represent a reasonably cost effective solution.