[thelist] Best SERVER Software Firewall

Sun Nov 16 18:23:54 CST 2003

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Joshua Olson" <joshua at waetech.com>
Subject: [thelist] Best SERVER Software Firewall

: The thread about the personal firewall got me thinking.  I'm
: looking at some dedicated hosting at a place and they offer
: separate hardware based firewall options.  The HW FW option
: is quite expensive and I'm hoping to find an alternative.  I talked
: with them and they say they usually tweak MS Windows
: 2003's internal settings to block out unwanted traffic and
 :they said it works well.  A couple windows guru's I recently
: spoke to said that there's no good way for Windows to natively
: firewall itself.  How about some of these personal firewalls,
: zone alarm, etc?  Are any of them good enough/fast
: enough to be viable on a web server? What about if the
: webserver is behind a decent size pipe (eg, 5-10 mbit)?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Who are these "Windows Gurus" that you have spoken to, and what was the
exact question/answer (and context)?

IPSec, for example, is supported in Windows 2000 and Windows 2003, and can
give you very good protection (barring possible vulnerabilities in the
implementation), so whoever told you that there's "no good way" is either
qualifying their comments, or doesn't know what they're talking about (an
example of a qualification would be that IPSec isn't a firewall in a literal
sense).

Windows Server 2003 also comes with the built-in ICF as well, which, again,
may be "good enough" for you (though I would look at IPSec first).

Personally, I feel that the common SOHO type"Personal" software firewalls
(eg ZoneAlarm) do not give you enough flexibility to be able to configure
them appropriately for a server (given that you want to open a number of
ports). Most are designed for people who need to secure a client machine (ie
not allow incoming connections, but allow some applications outbound access
to the 'net). A lot don't give you much granularity either (for example, you
can specify that your email app can go out onto the 'net, but you can't say
that:
- email app can connect to pop3.myDomain.com port 110
- email app can connect to smtp.myDomain.com port 25
- deny access to everything else (eg everything port 80 to stop web-bugs
embedded in HTML mail)

You need to look at the more sophisticated products (though still "Personal"
products), such as Sygate's product (www.sygate.com), Kerio's Personal
Firewall product (not supported on Windows 2003 Server yet) (www.kerio.com)
or Tiny Software's (www.tinysoftware.com/) firewall product. Each of these
allows you to nominate an application/executable, and which IP
addresses/subnets can access (or are barred access) to which local and
remote ports, for which protocol (UDP/TCP/ICMP) inbound and or outbound.

That said, I believe that a separate hardware device (whether dedicated like
a Cisco PIX, or application layer like Microsoft's ISA server) provides a
more robust, and secure environment (however you need to weigh up whether
you can afford the cost!)

HTH

Cheers
Ken

Microsoft MVP - Windows Server (IIS)