Re: Server firewall software
Bryan Stevenson wrote: Can ya provide some insight here DaveI took a look at the IP Security Policy GUI and honestly didn't know what I was looking at. Don't use the GUI, use the command line tool. It is documented at the MS website and there are several example policies at webhostingtalk that will give you a decent start. I'm just not sure what I should block/allow? You should first block everything and then allow the traffic you want. We can not really help you with that since we do not know which traffic you want. Which is waht I like about Win 2003it leaves it all off by default. You might want to look at OpenBSD if you want to know what secure by default really means. They have had only 1 remote root exploit in 8 years. I highly recommend trying it instead of some Linux when you set up one of your 'paperweights'. Jochem ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243302 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
Can ya provide some insight here DaveI took a look at the IP Security Policy GUI and honestly didn't know what I was looking at. If it helps our setup is simple (and yes the network is small...dev web serverfile server...6 workstations. We are using DSL with a D-Link router. I'm just not sure what I should block/allow? I assume I do it by adding my own policies? Well, the first step is to figure out what traffic you want to allow. As Jochem said, you'll want to deny everything, then specifically allow that traffic. So, what services do you host on that machine? What machines does that machine need to talk to, and why? Let's say, for example, that you have a web/application server. You probably need access to some or all of the filesystem, although you may be able to limit that access to machines on your internal network. Your filesystem access might be through FTP, or CIFS (Windows Networking). Your web/app server, in turn, might need to access a SQL Server database server on your local network, and you might want to be able to download patches directly from MS to that server. So, that gives us a working list of services, from which we can determine a list of allowed ports, inbound and outbound. Inbound: Web server - TCP/80, TCP/443 from everywhere File server - appropriate NetBIOS over IP ports, or DirectHost port, from internal network Outbound: SQL Server - TCP/1433 to database server Windows Update - TCP/80, TCP/443 to MS update servers Now, of course, it's very important to determine exactly what services your machine will provide, and what services it will need to use. For example, in the above case, your server wouldn't be able to find out the names of the database server, or the MS update servers, because we haven't included access to DNS. This might be intentional, in which case you'd have to figure out the appropriate IP addresses and put them directly on the server where needed. Also, your server won't be able to ping any other machines, nor will it be pingable itself. Again, this might be intentional, but you need to be aware of it. Here's a tutorial on how to use the GUI: http://homepages.wmich.edu/~mchugha/w2kfirewall.htm As Jochem mentioned, you can also do this with the netsh command-line tool, but I don't have a link handy for that. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243346 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
Thanks to Dave, Denny and Jochem for the IP Security Policy infoI see where it's going now and will peruse the tutorials etc to get the full picture Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243378 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
Personally, I think all software firewalls are a POS. If you want a decent firewall grab a hardware firewall, or set up a linux server and use ipchains. For a dev server, it really depends on where you're hosting and what you're trying to protect it from. Most shops will be fine with just using the firewall that comes on your DSL router (i.e. NAT). Russ -Original Message- From: Bryan Stevenson [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 12:57 PM To: CF-Talk Subject: SOT: Server firewall software Hey All, Looking for server OS (specifically MS 2003 Standard Server) firewall software recommendations. FYI...it's for a dev server...so not quite as sensitive as a prod server TIA Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243220 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
Personally, I think all software firewalls are a POS. If you want a decent firewall grab a hardware firewall, or set up a linux server and use ipchains. For a dev server, it really depends on where you're hosting and what you're trying to protect it from. Most shops will be fine with just using the firewall that comes on your DSL router (i.e. NAT). Russ Thanks Russ...and we already have it behind a D-Link Router...but I like extra protection. FYI ZoneAlarm catches ALL KINDS of stuff (including not allowing info to leak out or viruses/trojans etc to phone home) that the routers never catch. Unfortuneately Zone Labs don't make a server OS firewall software. and now a note to all others that may feel the way Russ doesI respect your opinions but I don't want to hear them as I'm after answers to my question ;-) I am asking specifically about server OS firewall software. Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243222 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
My list of recommendations are: Hope this helps. Jacob -Original Message- From: Bryan Stevenson [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 9:57 AM To: CF-Talk Subject: SOT: Server firewall software Hey All, Looking for server OS (specifically MS 2003 Standard Server) firewall software recommendations. FYI...it's for a dev server...so not quite as sensitive as a prod server TIA Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243226 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
Hey Jacob... Your list didn't come through. Maybe the mail server thought they were dangerous and removed them? :-) On 6/12/06, Jacob [EMAIL PROTECTED] wrote: My list of recommendations are: Hope this helps. Jacob -Original Message- From: Bryan Stevenson [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 9:57 AM To: CF-Talk Subject: SOT: Server firewall software Hey All, Looking for server OS (specifically MS 2003 Standard Server) firewall software recommendations. FYI...it's for a dev server...so not quite as sensitive as a prod server TIA Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243227 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
My list of recommendations are: Hope this helps. Jacob Oh good...the stand up comics have arrived... Thanks for your incredibly helpful post Jacob...I'll be sure to give you the same courtesy when you ask for some advice!! Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243228 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
I find that having both covers area where both are weak and takes advantage of both of their strengths. I didn't see the original posting...what OS are you using? What about Black Ice? I think that comes in a format for the server versions of Windows...not sure if it comes in Linux/Unix vers. -Original Message- From: Bryan Stevenson [mailto:[EMAIL PROTECTED] Sent: Monday, 12 June 2006 12:16 To: CF-Talk Subject: Re: Server firewall software Personally, I think all software firewalls are a POS. If you want a decent firewall grab a hardware firewall, or set up a linux server and use ipchains. For a dev server, it really depends on where you're hosting and what you're trying to protect it from. Most shops will be fine with just using the firewall that comes on your DSL router (i.e. NAT). Russ Thanks Russ...and we already have it behind a D-Link Router...but I like extra protection. FYI ZoneAlarm catches ALL KINDS of stuff (including not allowing info to leak out or viruses/trojans etc to phone home) that the routers never catch. Unfortuneately Zone Labs don't make a server OS firewall software. .and now a note to all others that may feel the way Russ doesI respect your opinions but I don't want to hear them as I'm after answers to my question ;-) I am asking specifically about server OS firewall software. Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243229 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
I realize you're after an answer for a software based firewall, but what we're trying to tell you in a not so helpful way is that it isn't recommended to put a software firewall on an OS. It adds overheard, can cause instability, and if you're that worried about malware sending things from your box then you have a bigger issue than a firewall will help. The recommended method is a hardware based firewall, put the server in a DMZ behind the firewall and it's not allowed to be touched with anything besides the approved upon open ports, and put antivirus on the computer. Keep up with updates and patches and your server will be just fine. Also if you can try to move different services to different servers so if there is a 0 day vulnerability it will only affect one server. Bob Everland ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243232 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
I find that having both covers area where both are weak and takes advantage of both of their strengths. I didn't see the original posting...what OS are you using? What about Black Ice? I think that comes in a format for the server versions of Windows...not sure if it comes in Linux/Unix vers. My thinking exactly Eric...can't hurt to cover all the bases. The OS is MS 2003 Standard Server Black Ice..wow I have;t heard of that product ina long time (I swicthed to ZoneAlarm for the anti-leak abilities and it's more solid program control about 4 years ago or more). I guess it may be time to re-investigate. Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243233 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
Looking for server OS (specifically MS 2003 Standard Server) firewall software recommendations. FYI...it's for a dev server...so not quite as sensitive as a prod server I recommend that you consider using the IP security policy functionality built into Windows. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243234 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
I realize you're after an answer for a software based firewall, but what we're trying to tell you in a not so helpful way is that it isn't recommended to put a software firewall on an OS. It adds overheard, can cause instability, and if you're that worried about malware sending things from your box then you have a bigger issue than a firewall will help. The recommended method is a hardware based firewall, put the server in a DMZ behind the firewall and it's not allowed to be touched with anything besides the approved upon open ports, and put antivirus on the computer. Keep up with updates and patches and your server will be just fine. Also if you can try to move different services to different servers so if there is a 0 day vulnerability it will only affect one server. Bob Everland Thanks Boband we are doing most of that nowI'm simply paranoid and prefer to err on the side of caution...and being a DEV server, performance is less of an issue. A note about my comments on Zone Alarm not allowing malware to phone home... I really could care less if it does, but I do like to at least help impede the flow of these things (like back in the days of NIMDA...trapped that sucker so it couldn't send itself out to others...just sat on my drive and self-replicated). Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243235 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
I realize you're after an answer for a software based firewall, but what we're trying to tell you in a not so helpful way is that it isn't recommended to put a software firewall on an OS. It adds overheard, can cause instability, and if you're that worried about malware sending things from your box then you have a bigger issue than a firewall will help. The recommended method is a hardware based firewall, put the server in a DMZ behind the firewall and it's not allowed to be touched with anything besides the approved upon open ports, and put antivirus on the computer. Keep up with updates and patches and your server will be just fine. Also if you can try to move different services to different servers so if there is a 0 day vulnerability it will only affect one server. While all the things you recommend are important, host-based protection is also an important part of an overall network security policy. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243236 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
You forgot one other problem with software firewalls, Bob: Since the firewall is installed on top of the OS it suffers from any/all vulnerabilities that are present in the OS itself. On 6/12/06, Robert Everland III [EMAIL PROTECTED] wrote: I realize you're after an answer for a software based firewall, but what we're trying to tell you in a not so helpful way is that it isn't recommended to put a software firewall on an OS. It adds overheard, can cause instability, and if you're that worried about malware sending things from your box then you have a bigger issue than a firewall will help. The recommended method is a hardware based firewall, put the server in a DMZ behind the firewall and it's not allowed to be touched with anything besides the approved upon open ports, and put antivirus on the computer. Keep up with updates and patches and your server will be just fine. Also if you can try to move different services to different servers so if there is a 0 day vulnerability it will only affect one server. Bob Everland ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243237 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
I think that the Black Ice Server product supports only up to 2000 AS. http://www.iss.net/find_products/server.php You might check out the Tiny Firewall: http://www.tinysoftware.com/home/tiny2?s=2583689172949511605A1pg=content05an=tf_comparisoncat=cat_tf6 Kerio WinRoute supports 2003 now as well: http://www.kerio.com/kwf_requirements.html Symantec Enterprise also works on 2003 Server.: http://www.symantec.com/Products/enterprise?c=prodinforefId=1303cid=1006 * Ken Ferguson 214.636.6126 * ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243238 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
I recommend that you consider using the IP security policy functionality built into Windows. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Thanks Dave. Now is that the ability to lock down a NIC card to only accept connections from one (or a set of) IP? Do you know where this is located in Win 2003? TIA Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243240 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
You forgot one other problem with software firewalls, Bob: Since the firewall is installed on top of the OS it suffers from any/all vulnerabilities that are present in the OS itself. That's not necessarily true, actually. The firewall may well block access to the vulnerability. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243242 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
Thanks Ken!! Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243241 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
Zone alarm is definitely better. I thought they had a server version though that you had to pay for or something like that. The only software firewall I have right now is the windows one. I am not too overly concerned about hacking...but then I am not running a server for business either hehehe. I was using Zone alarm for a while on my machine at home, but ended up taking it down as it was more trouble than it was worth at the time...it didn't seem to like World of Warcraft too much hehehe.. The only server I admin now is my dev server in my home office ;-) I do also have to agree that overall...hardware firewalls are much better and much more reliable, they also do miss a few of the features that software ones provide. I have not had the instability issues that people have mentions and well any software you install adds overhead...that's a no-brainer. If you have a machine that can handle the extra overhead, why not take advantage of the extra protection ;-) Speaking of firewalls and NAT and all this good router stuff...I am sure this is a simple solution (jinxed it huh? hehehe): I have port forwarding on my router so my dev server is available to the web...how do I make it so that when I enter the url to it, local machines behind the router can access it. Right now if I enter it, I get my router login. If anyone else were to hit it, they get the index on my dev box. I tried adding the domain with the local IP to my hosts file (WinXP), but that didn't have an effect. Eric -Original Message- From: Bryan Stevenson [mailto:[EMAIL PROTECTED] Sent: Monday, 12 June 2006 12:54 To: CF-Talk Subject: Re: Server firewall software I find that having both covers area where both are weak and takes advantage of both of their strengths. I didn't see the original posting...what OS are you using? What about Black Ice? I think that comes in a format for the server versions of Windows...not sure if it comes in Linux/Unix vers. My thinking exactly Eric...can't hurt to cover all the bases. The OS is MS 2003 Standard Server Black Ice..wow I have;t heard of that product ina long time (I swicthed to ZoneAlarm for the anti-leak abilities and it's more solid program control about 4 years ago or more). I guess it may be time to re-investigate. Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243243 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
Now is that the ability to lock down a NIC card to only accept connections from one (or a set of) IP? You can specify rulesets of all sorts, but yes. Do you know where this is located in Win 2003? Administrative Tools ... Local Security Policy via the GUI, or secpol.msc from the command line. I will warn you, though; the interface is quite unintuitive. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243245 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
Thanks again Dave...I'll check that out. Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243249 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
Enough of my smart comments... ;D I have tried Windows built-in firewall, Zone Alarm, and another software firewall (do not remember what it was) over the past year. All three tests told me that software firewalls on a server are nothing but a pain in the rear. So, I can not recommend anything that works on a server. On XP desktops, I do not have a problem with the Windows built-in software. But this is not used as a server. -Original Message- From: Bryan Stevenson [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 10:43 AM To: CF-Talk Subject: Re: Server firewall software My list of recommendations are: Hope this helps. Jacob Oh good...the stand up comics have arrived... Thanks for your incredibly helpful post Jacob...I'll be sure to give you the same courtesy when you ask for some advice!! Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243250 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
Enough of my smart comments... ;D No worriesI'm having a Monday and just wasn't up for it ;-) Well I've got a good list of software solutions to check out, but I've also gleaned a few new things from the hardware standpointnow the painful part of trying it all commences!! If anyone cares...I swear by ZoneAlarm for desktopsoccasionally it's a PITA, but that happens with all software ;-) Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com - Original Message - From: Jacob [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Monday, June 12, 2006 12:00 PM Subject: RE: Server firewall software Enough of my smart comments... ;D I have tried Windows built-in firewall, Zone Alarm, and another software firewall (do not remember what it was) over the past year. All three tests told me that software firewalls on a server are nothing but a pain in the rear. So, I can not recommend anything that works on a server. On XP desktops, I do not have a problem with the Windows built-in software. But this is not used as a server. -Original Message- From: Bryan Stevenson [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 10:43 AM To: CF-Talk Subject: Re: Server firewall software My list of recommendations are: Hope this helps. Jacob Oh good...the stand up comics have arrived... Thanks for your incredibly helpful post Jacob...I'll be sure to give you the same courtesy when you ask for some advice!! Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243253 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
I have tried Windows built-in firewall, Zone Alarm, and another software firewall (do not remember what it was) over the past year. All three tests told me that software firewalls on a server are nothing but a pain in the rear. So, I can not recommend anything that works on a server. Managing servers in general is a pain in the rear. That said, IP security policies are quite easy to manage, as long as you know exactly what traffic you want to allow to and from that server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243257 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
Personally I would install a separate linux server (you can use it as a mail server, file server, or multitude of other uses), and use the iptables firewall on there to manage the connections to your prd (or dev) web server. Iptables is one of the best firewalls out there, and if there is an exploit for the OS (which might kill your windows server, whether or not it has a firewall on it), at least you have 2 levels of protection here. First they would have to root your linux server, and then hack your windows box. 2 separate OS's are more secure then plain old W1nbl0w$. Russ -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 3:52 PM To: CF-Talk Subject: RE: Server firewall software I have tried Windows built-in firewall, Zone Alarm, and another software firewall (do not remember what it was) over the past year. All three tests told me that software firewalls on a server are nothing but a pain in the rear. So, I can not recommend anything that works on a server. Managing servers in general is a pain in the rear. That said, IP security policies are quite easy to manage, as long as you know exactly what traffic you want to allow to and from that server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243259 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
Personally I would install a separate linux server (you can use it as a mail server, file server, or multitude of other uses), and use the iptables firewall on there to manage the connections to your prd (or dev) web server. Iptables is one of the best firewalls out there, and if there is an exploit for the OS (which might kill your windows server, whether or not it has a firewall on it), at least you have 2 levels of protection here. First they would have to root your linux server, and then hack your windows box. 2 separate OS's are more secure then plain old W1nbl0w$. Russ Funny...our resident Linux martyr said the same thingmay give it a whirl Russ...thanks. I think in the very short term we'll look at Windows IP security to get by...then perhaps fire up Linux on one of the older paper weights...errr.desktops and try the IPtables approach. Thanks all for the suggestions (even the hardware ones) folks...great info as usual...and so far nobody has lost an eye in the debate ;-) Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com - Original Message - From: Russ [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Monday, June 12, 2006 12:55 PM Subject: RE: Server firewall software Personally I would install a separate linux server (you can use it as a mail server, file server, or multitude of other uses), and use the iptables firewall on there to manage the connections to your prd (or dev) web server. Iptables is one of the best firewalls out there, and if there is an exploit for the OS (which might kill your windows server, whether or not it has a firewall on it), at least you have 2 levels of protection here. First they would have to root your linux server, and then hack your windows box. 2 separate OS's are more secure then plain old W1nbl0w$. Russ -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 3:52 PM To: CF-Talk Subject: RE: Server firewall software I have tried Windows built-in firewall, Zone Alarm, and another software firewall (do not remember what it was) over the past year. All three tests told me that software firewalls on a server are nothing but a pain in the rear. So, I can not recommend anything that works on a server. Managing servers in general is a pain in the rear. That said, IP security policies are quite easy to manage, as long as you know exactly what traffic you want to allow to and from that server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243260 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
On 6/12/06, Russ [EMAIL PROTECTED] wrote: Personally I would install a separate linux server (you can use it as a mail server, file server, or multitude of other uses), and use the iptables firewall on there to manage the connections to your prd (or dev) web server. While I'm not going to say that a linux server would definitely meet your needs better than something windows based, I will say that if anyone is looking to try that out, there is a very nice package out there called ClarkConnect... http://www.clarkconnect.com/ It is a version of CentOS (which is based off of Redhat Enterprise Linux), that has a very nice browser based interface for managing a packaged set of programs. If you have an old machine and a couple of NICs sitting around, it is definitely worth a spin. I have it working as my firewall/gateway/file server/backup server/proxy-content filter/vpn (also has mail, http, ftp, etc...and you could probably install BD or MX on it!) -- Jim Wright Wright Business Solutions [EMAIL PROTECTED] 919-417-2257 ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243262 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Server firewall software
Personally I would install a separate linux server (you can use it as a mail server, file server, or multitude of other uses), and use the iptables firewall on there to manage the connections to your prd (or dev) web server. Iptables is one of the best firewalls out there, and if there is an exploit for the OS (which might kill your windows server, whether or not it has a firewall on it), at least you have 2 levels of protection here. First they would have to root your linux server, and then hack your windows box. 2 separate OS's are more secure then plain old W1nbl0w$. And personally, that might be the best solution for you. I think that, given the appropriate time and knowledge, it might be an important part of a complete solution for most people, especially given the nice Linux dedicated firewall distros like Smoothwall, ClarkConnect as Jim mentioned, Astaro, etc. But that still doesn't solve Bryan's immediate problem, which is protecting his host. Having a dedicated firewall is a good thing, but it is not a substitute for appropriate host-based security unless you have a very, very small network. And, if you do have a very, very small network, you can create an IP security policy for a host in a few minutes (if you know how) or an hour (if you don't), then wait until next week or whenever to build a Linux server. And, if you don't know how to install, secure and manage Linux, you might not be any better off than you were when you started. Many, many people who manage CF development servers running on Windows would fall within this category. Using your Linux server as anything other than a dedicated firewall (such as using it as a mail server, file server, or using any of the multitude of other services available) makes this quite problematic as well. Finally, there have historically been very few Windows OS exploits that couldn't be prevented using a host-based firewall (or even just shutting down vulnerable services that you don't usually need anyway). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243263 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
But that still doesn't solve Bryan's immediate problem, which is protecting his host. Having a dedicated firewall is a good thing, but it is not a substitute for appropriate host-based security unless you have a very, very small network. And, if you do have a very, very small network, you can create an IP security policy for a host in a few minutes (if you know how) or an hour (if you don't), then wait until next week or whenever to build a Linux server. Can ya provide some insight here DaveI took a look at the IP Security Policy GUI and honestly didn't know what I was looking at. If it helps our setup is simple (and yes the network is small...dev web serverfile server...6 workstations. We are using DSL with a D-Link router. I'm just not sure what I should block/allow? I assume I do it by adding my own policies? . Finally, there have historically been very few Windows OS exploits that couldn't be prevented using a host-based firewall (or even just shutting down vulnerable services that you don't usually need anyway). Which is waht I like about Win 2003it leaves it all off by default. TIA Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243264 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Server firewall software
I wish I remembered what the number of the MS test I took was. 214? 219? Network administration or some such. At any rate, you can go out and grab some of those testbusters or whatnot prep exams (the free ones) aimed at that test, and run through them a couple of times, and you'll learn all you need to know, so to speak. Lots of good stuff, really. Amazing things you can do with policies and whatnot, really. OS X is better tho. ;-P (pure joke) :Denner Can ya provide some insight here DaveI took a look at the IP Security Policy GUI and honestly didn't know what I was looking at. If it helps our setup is simple (and yes the network is small...dev web serverfile server...6 workstations. We are using DSL with a D-Link router. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:243285 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54