> Personally I would install a separate linux server (you can > use it as a mail server, file server, or multitude of other > uses), and use the iptables firewall on there to manage the > connections to your prd (or dev) web server. > Iptables is one of the best firewalls out there, and if there > is an exploit for the OS (which might kill your windows > server, whether or not it has a firewall on it), at least you > have 2 levels of protection here. First they would have to > root your linux server, and then hack your windows box. 2 > separate OS's are more secure then plain old W1nbl0w$.
And personally, that might be the best solution for you. I think that, given the appropriate time and knowledge, it might be an important part of a complete solution for most people, especially given the nice Linux dedicated firewall distros like Smoothwall, ClarkConnect as Jim mentioned, Astaro, etc. But that still doesn't solve Bryan's immediate problem, which is protecting his host. Having a dedicated firewall is a good thing, but it is not a substitute for appropriate host-based security unless you have a very, very small network. And, if you do have a very, very small network, you can create an IP security policy for a host in a few minutes (if you know how) or an hour (if you don't), then wait until next week or whenever to build a Linux server. And, if you don't know how to install, secure and manage Linux, you might not be any better off than you were when you started. Many, many people who manage CF development servers running on Windows would fall within this category. Using your Linux server as anything other than a dedicated firewall (such as using it as a mail server, file server, or using any of the multitude of other services available) makes this quite problematic as well. Finally, there have historically been very few Windows OS exploits that couldn't be prevented using a host-based firewall (or even just shutting down vulnerable services that you don't usually need anyway). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243263 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
