Re: Firewall solution for Windows 2003 Server

["Lee" <cheekypeople () sec33 com>]

Are you suggesting that the win2003 server will be the point of contact for
the Internet? is this a wise choice or just a product of your setup?

I dont like application layer firewalls, they fill me with dread, yes the
displays are nice , but that doesnt mean it cant be acheived elsewhere.

I would prefer to point you in the direction of Smoothwall, and IPCOP (both
are free) they run on small Pentium boxes , seperate to the win2003 server
and offer excellent protection and performance.  You can even just setup a
nice FreeBSD box with simple ipchains packet filtering if needs be, but
those two suggested would be a nice set in the right direction.

Any ideas on amounts you have to spend? that obviously sways a decision
somewhat, but I still like to stay away from desktop application layer
firewalls.

Hope that helps.

Kind Regards


Lee @ STS
http://www.seethrusec.co.uk
Building Knowledge and Security..


----- Original Message ----- 
From: "Irwan Hadi" <irwanhadi () phxby com>
To: "Ondrej Krajicek" <krajicek () ics muni cz>
Cc: <full-disclosure () lists netsys com>
Sent: Saturday, April 24, 2004 8:44 PM
Subject: Re: [Full-disclosure] Firewall solution for Windows 2003 Server


> On Sat, Apr 24, 2004 at 06:18:50PM +0200, Ondrej Krajicek wrote:
>
> > Greetings to all disclosers ;),
> >
> > I would like to see your opinion on currently available firewall
> > products for Windows Server 2003. I am looking for simple
> > firewall solution as an _additional_ protection measure
> > for our servers.
> >
> > We all surely know about poor Windows logging (when it comes
> > to information coverage). I want a simple packet filter
> > running as a service logging everything. I was happy with
> > Kerio Personal Firewall, but Kerio no longer supports
> > Windows servers with this product.
> >
> > I do not need router capabilities, just local packet filter.
> >
> > Could someone recommend me something? Preferably without,
> > nice overcomplicated GUI is not a requirement
> > (and I hope it could be avoided :).
>
> I'm using Visnetic Firewall (from deerfield.com) on all of my Windows
> servers, and probably on all of my Windows clients pretty soon. One thing
I
> like from Visnetic is:
> - It is just a packet filter. Doesn't do any application level filtering,
> which is a good thing for a server. Who would keep watching the console of
> the server for popup generated by a firewall asking "do you want to allow
> this application to send packets to that destination"
> - As far as I know, since it is simple, it hasn't had any security issues,
> like Zone Alarm did, Kerio did, and the funniest one was Blackice, which
was
> exploited by witty worm. My principle is, a firewall suppose to protect
the
> system it's protecting. If a firewall since it is made quite complex, with
> all kind of unnecessary features, then have some vulnerabilities in it,
which
> instead protecting its host now is threatening its host then what good
does
> it have?
> - It is now configurable both by GUI and command line
> - Has sequence number hardening and tarpit
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html