[thelist] Best SERVER Software Firewall

Joshua Olson joshua at waetech.com
Sun Nov 16 19:31:24 CST 2003 

----- Original Message ----- 
From: "Ken Schaefer" <ken at adOpenStatic.com>
Sent: Sunday, November 16, 2003 7:23 PM

Ken,

Thank you for your responses.


> Who are these "Windows Gurus" that you have spoken to, and what was the
> exact question/answer (and context)?

I don't think the names would mean anything to you.  The context was
actually when discussing using something like Zone Alarm vs configuring
Windows to perform the same actions.  They basically said that using the
Windows settings for filtering (or whatever other tools came with the OS
that I may not know) are not a good substitute for a hardware solution or
even a software solution such as Zone Alarm.

> IPSec, for example, is supported in Windows 2000 and Windows 2003, and can
> give you very good protection (barring possible vulnerabilities in the
> implementation), so whoever told you that there's "no good way" is either
> qualifying their comments, or doesn't know what they're talking about (an
> example of a qualification would be that IPSec isn't a firewall in a
literal
> sense).

IPSec is used for encryption of the IP Packet and is used primary for
tunnelling, is it not?  If I'm right and IPSec is for encryption, then it's
not applicable in this case.  If I'm misunderstanding IPSec, then I'd love
to see a quick'n'dirty reference for what its all about.

> Windows Server 2003 also comes with the built-in ICF as well, which,
again,
> may be "good enough" for you (though I would look at IPSec first).

I'll have to look this one over.

> You need to look at the more sophisticated products (though still
"Personal"
> products), such as Sygate's product (www.sygate.com), Kerio's Personal
> Firewall product (not supported on Windows 2003 Server yet)
(www.kerio.com)
> or Tiny Software's (www.tinysoftware.com/) firewall product. Each of these
> allows you to nominate an application/executable, and which IP
> addresses/subnets can access (or are barred access) to which local and
> remote ports, for which protocol (UDP/TCP/ICMP) inbound and or outbound.

Thank you for the list.  Any experiences with them?

> That said, I believe that a separate hardware device (whether dedicated
like
> a Cisco PIX, or application layer like Microsoft's ISA server) provides a
> more robust, and secure environment (however you need to weigh up whether
> you can afford the cost!)

Agreed, 100%.

> HTH

It does, immensely.  Thank you.

<><><><><><><><><><>
Joshua Olson
Web Application Engineer
WAE Tech Inc.
http://www.waetech.com
706.210.0168

More information about the thelist mailing list