Using just Windows packet filtering is not enough, it is stateless and
doesn't offer much protection. It is better than nothing at all, but not
much more. Even using personal firewall is better. one of the reasons people
say that Linux is a more secure OS is unavailability of firewall in Windows.
Linux comes with strong firewall in popular distributions. Here is my
estimate of the security your windows box:
1 no firewall at all
2 using MS build-in packet filter
3 personal firewall
4 using a router with a firewall
5 using "real" firewall that is statefull on common OS
6 using "real" firewall that is statefull on dedicated OS
7 using "real" proxy firewall on common OS
8 using "real" proxy firewall on dedicated OS
I would tie 6 and 7. Of course, specifics of the product will matter a lot
and knowledge of the person that sets it all up. So above is only very
general outline.
TK
[Tom Kitta] -----Original Message-----
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 04, 2004 4:32 PM
To: CF-Talk
Subject: Re: OT-Firewall
Mike Brunt wrote:
> Eric, we use Tiny Firewall for this sort of requirement.
>
> http://www.tinysoftware.com/home/tiny2?la=EN
>
> Hth, I am sure Jochem will have some good recommendations on this also.
I'm not sure if they are good, I could use some peer review ;-)
My usual solution is to enable the built-in packetfilter and
don't run anything else. Open port 80 for HTTP and optionally 21
for FTP (active only), 443 for HTTPS, X for remote control
software and leave the rest closed. UDP is a bit more tricky, DNS
will fail because you are really using a client and the client
runs on an ephemeral port (the server runs on 53). You should be
able to get around this if you have a second NIC and your DNS
server is on the local subnet, or else I just leave it unfiltered
(it is filtered at the router here anyway.)
After that, follow the instructions in the Microsoft TCP/IP
whitepaper [1] to further harden your stack. There are also some
templates available from the NSA.
Overall I have not had any problems with such a configuration. It
is also a great way to connect unpatched systems during installation.
[1]http://www.microsoft.com/windows2000/techinfo/howitworks/communications/n
etworkbasics/tcpip_implement.asp
Jochem
--
I don't get it
immigrants don't work
and steal our jobs
- Loesje
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
- OT-Firewall Eric Creese
- Re: OT-Firewall Jochem van Dieten
- RE: OT-Firewall Tom Kitta
- RE: OT-Firewall Taco Fleur
- RE: OT-Firewall Eric Creese
- Re: OT-Firewall Jochem van Dieten
- RE: RE: OT-Firewall Mike Brunt
- Re: OT-Firewall Jochem van Dieten
- RE: OT-Firewall Tom Kitta
- RE: OT-Firewall Jochem van Dieten
- Re: OT-Firewall Jim McAtee
- RE: OT-Firewall Eric Creese
- RE: OT-Firewall Tony Weeg
- RE: OT-Firewall Tom Kitta
- RE: OT-Firewall Nathan C. Smith
- RE: OT-Firewall Alan Rafael Bleiweiss
- RDS looking for disk in A: Drive??? Mark W. Breneman
- RE: OT-Firewall Cary Gordon