Full Disclosure mailing list archives
RE: Firewall solution for Windows 2003 Server
From: "Chris Scott" <cscott () fluidsmgmt com>
Date: Sun, 25 Apr 2004 02:25:43 -0500
Consider also a hardware firewall that runs at Layer 2, this way you get the filtering but you don't have to do any routing or NAT. These are the same as "transparent" firewalls, as they do not have an IP address unless it is for a management interface. I believe Netscreen currently has the ability to run at Layer 2, and Cisco's PIX will have this ability soon with version 7.0 of Finesse (PIX operating system) which is due out later this year. I am not sure if Checkpoint offers this or not. You might consider a L2 firewall deployment combination with a Host-based Intrusion Prevention deployment such as the Cisco Security Agent, or a combination Host IPS/Firewall such as Sygate's offering. I like the Cisco Security Agent because it is behavioral-based (it doesn't need signature updates). Sygate needs signature updates, however it is very easy to manage. CSA is a little more stubborn on the management side, in my opinion. Also, you might want to check into network-based Intrusion Prevention systems. Netscreen and Tipping Point would be two to look at, I believe one of the handlers at ISC is also working on one. These devices will go a lot further in the inspection of traffic than a standard firewall would. They are basically IDS systems that sit in-line, to give you an idea of their inspection abilities. They also can run at L2. If I had to choose between a hardware firewall (L2 or L3), a software firewall/IPS deployment, or an in-line IPS device to protect my server farm, I'd probably choose the in-line IPS device but only after it was tested for false-positives/negatives. If the false-positives/negatives rate was too much, I'd take the hardware firewall. I simply do not trust software firewalls installed on the server enough to act as the only layer of protection for the server farm. They are good to augment existing server farm defenses, but I would use them only in that role, as augmentation. I'd choose the in-line IPS device over a firewall because of it's detailed inspection abilities. However, like I mentioned I would test the device hard for false-positives/negatives. They aren't as much of a problem now as they were with early IDS devices, but they still exist and can still be fatal in a production network. Just my $.02 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Firewall solution for Windows 2003 Server Ondrej Krajicek (Apr 24)
- Re: Firewall solution for Windows 2003 Server Irwan Hadi (Apr 24)
- Re: Firewall solution for Windows 2003 Server Lee (Apr 24)
- Re: Firewall solution for Windows 2003 Server Irwan Hadi (Apr 24)
- Re: Firewall solution for Windows 2003 Server Ondrej Krajicek (Apr 25)
- Re: Firewall solution for Windows 2003 Server KF (lists) (Apr 24)
- RE: Firewall solution for Windows 2003 Server Chris Scott (Apr 25)
- Re: Firewall solution for Windows 2003 Server Lee (Apr 24)
- Re: Firewall solution for Windows 2003 Server Niek Baakman (Apr 24)
- Re: Firewall solution for Windows 2003 Server Asenchi (Apr 27)
- Re: Firewall solution for Windows 2003 Server Ondrej Krajicek (Apr 28)
- Re: Firewall solution for Windows 2003 Server Irwan Hadi (Apr 24)