FW: win2k firewall

["Mahoney, Paul" <paul () fiberstarr com>]

Ok guys, I have to add my pennyworths here.

I have for many years run web servers live on the Internet in
environments with and without any type of firewall.  I would not
recommend this way to an individual, but the benefits seen through
increased performance, lack of admin, reduced costing etc are easily
identifiable. 

Additionally I have had experience with using BlackIce on W2k Web
servers; I have not found this software reliable enough to be used in
production environments, although it is a great product for workstations
or on an 'as needed' basis for servers.

Good design and thought to security policies is fundamental to the
security of data.  We should start not with the device, but the 'wire
security' to it.  Firstly I would recommend allowing, in a simple access
list on a Cisco router to allow only port 80 and 443 inbound.

Secondly it is imperative to harden that server in any way possible,
without the addition of 3rd party software (Microsoft's website is a
great starting point for this).

Only once that is complete you should be asking yourself about Firewalls
and IDS systems.

With processing power and memory available, people are less concerned
with shoehorning as many resources as possible from these machines;
therefore it IS common place to see the likes of BlackIce etc on
production servers.

People have recommended the Cisco PIX firewall, a great device, a great
price.  However I feel that as this post is based upon WIN2K firewalls,
I believe we need to look at something more like a GUI configuration.

My advice would be to look at the Netscreen range of products,
competitively priced, easy to configure and yes a top performer.

Regards,

Paul Mahoney
FiberStarr Systems
www.fiberstarr.com