doesn't offer much protection. It is better than nothing at all, but not
much more. Even using personal firewall is better. one of the reasons people
say that Linux is a more secure OS is unavailability of firewall in Windows.
Linux comes with strong firewall in popular distributions. Here is my
estimate of the security your windows box:
1 no firewall at all
2 using MS build-in packet filter
3 personal firewall
4 using a router with a firewall
5 using "real" firewall that is statefull on common OS
6 using "real" firewall that is statefull on dedicated OS
7 using "real" proxy firewall on common OS
8 using "real" proxy firewall on dedicated OS
I would tie 6 and 7. Of course, specifics of the product will matter a lot
and knowledge of the person that sets it all up. So above is only very
general outline.
TK
[Tom Kitta] -----Original Message-----
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 04, 2004 4:32 PM
To: CF-Talk
Subject: Re: OT-Firewall
Mike Brunt wrote:
> Eric, we use Tiny Firewall for this sort of requirement.
>
> http://www.tinysoftware.com/home/tiny2?la=EN
>
> Hth, I am sure Jochem will have some good recommendations on this also.
I'm not sure if they are good, I could use some peer review ;-)
My usual solution is to enable the built-in packetfilter and
don't run anything else. Open port 80 for HTTP and optionally 21
for FTP (active only), 443 for HTTPS, X for remote control
software and leave the rest closed. UDP is a bit more tricky, DNS
will fail because you are really using a client and the client
runs on an ephemeral port (the server runs on 53). You should be
able to get around this if you have a second NIC and your DNS
server is on the local subnet, or else I just leave it unfiltered
(it is filtered at the router here anyway.)
After that, follow the instructions in the Microsoft TCP/IP
whitepaper [1] to further harden your stack. There are also some
templates available from the NSA.
Overall I have not had any problems with such a configuration. It
is also a great way to connect unpatched systems during installation.
[1]http://www.microsoft.com/windows2000/techinfo/howitworks/communications/n
etworkbasics/tcpip_implement.asp
Jochem
--
I don't get it
immigrants don't work
and steal our jobs
- Loesje
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
