If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Is software firewall nessasery if hardware is available?
HI! I have being having allot of trouble getting the personal firewall of
(Norton Internet Security) to work with IIS server. with the PF turned off all is ok. its fine through my router and with my shared DLS connection but once its on both IE and my FTP client just timesout. I have d-link router with a built in firewall. is this good enough? I am just going through all this for an overkill? I have the virus scanner/adware scanner/spyware scanner/ and all is fine right now. what do you guys think? |
Ads |
#2
|
|||
|
|||
Is software firewall nessasery if hardware is available?
Adding to both responses, defense in depth is critical and NO your DLink
firewall is not enough. I suggest a true appliance firewall. Depending on your budget and number of users, you can get away with a SMB firewall like a Netscreen, Cisco PIX, or Nokia Firewall for your network defense. I suggest a host firewall on your IIS server. And I suggest URLScan to proactively defend your IIS server. There are no shortcuts to security, especially on an Internet-facing Web server. "paul dallaire" wrote: HI! I have being having allot of trouble getting the personal firewall of (Norton Internet Security) to work with IIS server. with the PF turned off all is ok. its fine through my router and with my shared DLS connection but once its on both IE and my FTP client just timesout. I have d-link router with a built in firewall. is this good enough? I am just going through all this for an overkill? I have the virus scanner/adware scanner/spyware scanner/ and all is fine right now. what do you guys think? |
#3
|
|||
|
|||
Is software firewall nessasery if hardware is available?
HI! thanks for the response. what do you suggest as a host firewall for my
IIS server? What is a URLscan and where can I look for the software? What is a SMB? "Phil Agcaoili" wrote in message ... Adding to both responses, defense in depth is critical and NO your DLink firewall is not enough. I suggest a true appliance firewall. Depending on your budget and number of users, you can get away with a SMB firewall like a Netscreen, Cisco PIX, or Nokia Firewall for your network defense. I suggest a host firewall on your IIS server. And I suggest URLScan to proactively defend your IIS server. There are no shortcuts to security, especially on an Internet-facing Web server. "paul dallaire" wrote: HI! I have being having allot of trouble getting the personal firewall of (Norton Internet Security) to work with IIS server. with the PF turned off all is ok. its fine through my router and with my shared DLS connection but once its on both IE and my FTP client just timesout. I have d-link router with a built in firewall. is this good enough? I am just going through all this for an overkill? I have the virus scanner/adware scanner/spyware scanner/ and all is fine right now. what do you guys think? |
#4
|
|||
|
|||
Is software firewall nessasery if hardware is available?
HI! thanks for the response. Its tell in the docs how to setup a set FTP
software. IF it does not support it then why have the docs on it? I am running WIn XP Pro Sp2. not server. "Leythos" wrote in message news On Mon, 14 Feb 2005 03:31:28 -0500, paul dallaire wrote: HI! I have being having allot of trouble getting the personal firewall of (Norton Internet Security) to work with IIS server. with the PF turned off all is ok. its fine through my router and with my shared DLS connection but once its on both IE and my FTP client just timesout. NIS was not designed to be run on a Server. I have d-link router with a built in firewall. is this good enough? I am just going through all this for an overkill? Your D-Link router is probably just a NAT box and not really a firewall. The router will allow you to pass 80/444/FTP ports through to the server, but it's not going to do much in the way a firewall would. I have the virus scanner/adware scanner/spyware scanner/ and all is fine right now. what do you guys think? I suspect that you don't have server quality Virus Scanner installed, just a client virus scanner, you've probably not run the MBSA to determine if the machine is locked down, probably not disabled services you don't want people using, and you should have renamed the Administrator account and forced LARGE NASTY passwords on all accounts on this box. Look at some of the MS articles on securing a web-server and make sure you follow their directions or your going to have a compromised machine in short time. -- remove 999 in order to email me |
#5
|
|||
|
|||
Is software firewall nessasery if hardware is available?
Responses below.
"paul dallaire" wrote: HI! thanks for the response. what do you suggest as a host firewall for my IIS server? It depends if your Web server is in a DMZ (protected network behind a firewall but isolated from your intranet) or connected to your internal network. If it's in a DMZ, the appliance firewall is good enough for starters. This would be good enough for most networks. An added layer of host firewall would help on your Web server if there are other devices in the DMZ. If one of those devices ever got hacked, you know that the Web server has another firewall to defend attacks from it's neighboring DMZ servers. If you go this uber-secure route, Windows 2003 has a built-in firewall that can block ingress (inbound) attacks. That should do it. Although you could go nuts and run a CheckPoint or other similar Enterprise-class firewall right on that system, BUT it's not worth it. What is a URLscan and where can I look for the software? It has saved a bunch of my client's booties and is an awesome Microsoft FREE application-- (if only Apache had this software) http://www.microsoft.com/technet/sec...s/urlscan.mspx Description of both tools: http://www.securityfocus.com/infocus/1755 http://www.microsoft.com/technet/sec.../locktool.mspx What is a SMB? Small-Medium Business |
#6
|
|||
|
|||
Is software firewall nessasery if hardware is available?
Responses below.
"paul dallaire" wrote: HI! thanks for the response. what do you suggest as a host firewall for my IIS server? It depends if your Web server is in a DMZ (protected network behind a firewall but isolated from your intranet) or connected to your internal network. If it's in a DMZ, the appliance firewall is good enough for starters. This would be good enough for most networks. An added layer of host firewall would help on your Web server if there are other devices in the DMZ. If one of those devices ever got hacked, you know that the Web server has another firewall to defend attacks from it's neighboring DMZ servers. If you go this uber-secure route, Windows 2003 has a built-in firewall that can block ingress (inbound) attacks. That should do it. Although you could go nuts and run a CheckPoint or other similar Enterprise-class firewall right on that system, BUT it's not worth it. What is a URLscan and where can I look for the software? It has saved a bunch of my client's booties and is an awesome Microsoft FREE application-- (if only Apache had this software) http://www.microsoft.com/technet/sec...s/urlscan.mspx Description of both tools: http://www.securityfocus.com/infocus/1755 http://www.microsoft.com/technet/sec.../locktool.mspx What is a SMB? Small-Medium Business |
#7
|
|||
|
|||
Is software firewall nessasery if hardware is available?
OK since I am not sure if it is DMZ here is my configuration. tell what it
is. My DSL modem's main connection Rs2/32 is plug into the main port in my D-Link 604 router ( Internet Broadband Router). then the other 2 computers are coming out of the routers child ports. First computer running WinXP pro was used to create the network disk to configure the win98 computer. both computers are sharing sources and are networked together. Both computers are sharing the modem through the router. BUT its the WinXP PRo that starts the DSL modem connection. ( In other words if the winxp pro computer goes down then the win98 computer can NO longer connect to the internet.) With this explanation What is this configuration called? is this a DMZ What firewall software could be used to help me if needed at first? "Phil Agcaoili" wrote in message ... Responses below. "paul dallaire" wrote: HI! thanks for the response. what do you suggest as a host firewall for my IIS server? It depends if your Web server is in a DMZ (protected network behind a firewall but isolated from your intranet) or connected to your internal network. If it's in a DMZ, the appliance firewall is good enough for starters. This would be good enough for most networks. An added layer of host firewall would help on your Web server if there are other devices in the DMZ. If one of those devices ever got hacked, you know that the Web server has another firewall to defend attacks from it's neighboring DMZ servers. If you go this uber-secure route, Windows 2003 has a built-in firewall that can block ingress (inbound) attacks. That should do it. Although you could go nuts and run a CheckPoint or other similar Enterprise-class firewall right on that system, BUT it's not worth it. What is a URLscan and where can I look for the software? It has saved a bunch of my client's booties and is an awesome Microsoft FREE application-- (if only Apache had this software) http://www.microsoft.com/technet/sec...s/urlscan.mspx Description of both tools: http://www.securityfocus.com/infocus/1755 http://www.microsoft.com/technet/sec.../locktool.mspx What is a SMB? Small-Medium Business |
#8
|
|||
|
|||
Is software firewall nessasery if hardware is available?
To answer your original question (Is software firewall nessasery if hardware
is available?), you already have a hardware firewall, the D-Link 604 and *maybe* you need one on the XP machine if it's running IIS, but I would at least run URLScan on your IIS server. You're on a DSL network and it sounds like it's for your small business or home. I don't suggest anything super expensive, but effective. The DLink is OK for home use as a firewall, but it's the bare minimum as firewalls go. Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class firewalls for small medium business. For the XP system running IIS, the XP SP2 firewall is sufficient, but know that it will only protect you from ingress (inbound) threats. Once you get malware on that system, it can talk out of it all day long. At that point, you switch to a more powerful software firewall meant for servers. For your recent question about the DMZ: 1. No, you do not have a DMZ. Typical DMZs look like: Multi-homed Firewall/DMZ Design Internet---FW--intranet | DMZ OR Sandwich DMZ Design I---FW--DMZ--FW--i You have neither, you have: I--FW (DLink)--i (where your XP/IIS server and 98 systems are) Your server is directly connected to your end systems and cannot be isolated by the hardware firewall. This is the reason why people are saying to add a software firewall--isolation and threat mitigation. There are a ton of great firewall books that you may want to read. Good luck! Hope this helps. "paul dallaire" wrote: OK since I am not sure if it is DMZ here is my configuration. tell what it is. My DSL modem's main connection Rs2/32 is plug into the main port in my D-Link 604 router ( Internet Broadband Router). then the other 2 computers are coming out of the routers child ports. First computer running WinXP pro was used to create the network disk to configure the win98 computer. both computers are sharing sources and are networked together. Both computers are sharing the modem through the router. BUT its the WinXP PRo that starts the DSL modem connection. ( In other words if the winxp pro computer goes down then the win98 computer can NO longer connect to the internet.) With this explanation What is this configuration called? is this a DMZ What firewall software could be used to help me if needed at first? "Phil Agcaoili" wrote in message ... Responses below. "paul dallaire" wrote: HI! thanks for the response. what do you suggest as a host firewall for my IIS server? It depends if your Web server is in a DMZ (protected network behind a firewall but isolated from your intranet) or connected to your internal network. If it's in a DMZ, the appliance firewall is good enough for starters. This would be good enough for most networks. An added layer of host firewall would help on your Web server if there are other devices in the DMZ. If one of those devices ever got hacked, you know that the Web server has another firewall to defend attacks from it's neighboring DMZ servers. If you go this uber-secure route, Windows 2003 has a built-in firewall that can block ingress (inbound) attacks. That should do it. Although you could go nuts and run a CheckPoint or other similar Enterprise-class firewall right on that system, BUT it's not worth it. What is a URLscan and where can I look for the software? It has saved a bunch of my client's booties and is an awesome Microsoft FREE application-- (if only Apache had this software) http://www.microsoft.com/technet/sec...s/urlscan.mspx Description of both tools: http://www.securityfocus.com/infocus/1755 http://www.microsoft.com/technet/sec.../locktool.mspx What is a SMB? Small-Medium Business |
#9
|
|||
|
|||
Is software firewall nessasery if hardware is available?
HI! what would you suggest as a more powerful software firewall meant for
servers. If you can give me a few programs names for me to check out.? "Phil Agcaoili" wrote in message ... To answer your original question (Is software firewall nessasery if hardware is available?), you already have a hardware firewall, the D-Link 604 and *maybe* you need one on the XP machine if it's running IIS, but I would at least run URLScan on your IIS server. You're on a DSL network and it sounds like it's for your small business or home. I don't suggest anything super expensive, but effective. The DLink is OK for home use as a firewall, but it's the bare minimum as firewalls go. Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class firewalls for small medium business. For the XP system running IIS, the XP SP2 firewall is sufficient, but know that it will only protect you from ingress (inbound) threats. Once you get malware on that system, it can talk out of it all day long. At that point, you switch to a more powerful software firewall meant for servers. For your recent question about the DMZ: 1. No, you do not have a DMZ. Typical DMZs look like: Multi-homed Firewall/DMZ Design Internet---FW--intranet | DMZ OR Sandwich DMZ Design I---FW--DMZ--FW--i You have neither, you have: I--FW (DLink)--i (where your XP/IIS server and 98 systems are) Your server is directly connected to your end systems and cannot be isolated by the hardware firewall. This is the reason why people are saying to add a software firewall--isolation and threat mitigation. There are a ton of great firewall books that you may want to read. Good luck! Hope this helps. "paul dallaire" wrote: OK since I am not sure if it is DMZ here is my configuration. tell what it is. My DSL modem's main connection Rs2/32 is plug into the main port in my D-Link 604 router ( Internet Broadband Router). then the other 2 computers are coming out of the routers child ports. First computer running WinXP pro was used to create the network disk to configure the win98 computer. both computers are sharing sources and are networked together. Both computers are sharing the modem through the router. BUT its the WinXP PRo that starts the DSL modem connection. ( In other words if the winxp pro computer goes down then the win98 computer can NO longer connect to the internet.) With this explanation What is this configuration called? is this a DMZ What firewall software could be used to help me if needed at first? "Phil Agcaoili" wrote in message ... Responses below. "paul dallaire" wrote: HI! thanks for the response. what do you suggest as a host firewall for my IIS server? It depends if your Web server is in a DMZ (protected network behind a firewall but isolated from your intranet) or connected to your internal network. If it's in a DMZ, the appliance firewall is good enough for starters. This would be good enough for most networks. An added layer of host firewall would help on your Web server if there are other devices in the DMZ. If one of those devices ever got hacked, you know that the Web server has another firewall to defend attacks from it's neighboring DMZ servers. If you go this uber-secure route, Windows 2003 has a built-in firewall that can block ingress (inbound) attacks. That should do it. Although you could go nuts and run a CheckPoint or other similar Enterprise-class firewall right on that system, BUT it's not worth it. What is a URLscan and where can I look for the software? It has saved a bunch of my client's booties and is an awesome Microsoft FREE application-- (if only Apache had this software) http://www.microsoft.com/technet/sec...s/urlscan.mspx Description of both tools: http://www.securityfocus.com/infocus/1755 http://www.microsoft.com/technet/sec.../locktool.mspx What is a SMB? Small-Medium Business |
#10
|
|||
|
|||
Is software firewall nessasery if hardware is available?
HI! Why would you call the d-link a NAT box ? why would they list it as a
Router? can you explain I don't understand. I do under now about isolating the two.. what would you recommend as a good router that is low price but good for my situation as a starter. I will in the future get a good hardware firewall but for now I would like decent protection. another thing if I do get another good router can I still use the d-links firewall between the LAN part as the other more advanced firewall filters the IIS Servers connections and other Pub connections? "Leythos" wrote in message news On Mon, 14 Feb 2005 12:11:17 -0500, paul dallaire wrote: HI! thanks for the response. Its tell in the docs how to setup a set FTP software. IF it does not support it then why have the docs on it? I am running WIn XP Pro Sp2. not server. I had a suspicion that you were running a workstation instead of a server. You're still in the same boat, you also risk your other computers should the public one become compromised. Your 604 router is just a simple NAT box with no real firewall installed and no means to have two network segments - we would call one segment the LAN and the other the DMZ - typically there is none or little connection between the DMZ and the LAN, and your non-public computers sit in the LAN segment. With this type of setup your computers in the DMZ can't reach the computers in the LAN should a DMZ computer become compromised. There are ways to build a cheap LAN/DMZ, but you need two routers: INTERNET | ROUTER 1 | DMZ SEGMENT | 192.168.0.0/24 ROUTER 2 | LAN SEGMENT | 192.168.1.0/24 In this setup your LAN computers are able to access the DMZ WEB/FTP computers, but, unless you make ports back into ROUTER 2, the DMZ computers can't reach the LAN segment. All computers can reach the Internet through the routers. Now, you do understand that your Workstation is limited to 10 sessions at a time - meaning that your web site is very limited in how many users can access it? You might also want to consider using something other than the built-in MS FTP service - Take a look at FileZilla, it's an OpenSource FTP Server that runs on the Windows Platform and is much easier and feature rich than the MS FTP service - and it doesn't require a Windows User Account - since you're not going to allow anonymous access to the FTP site (it would be bad to allow FTP Write access to the world). FileZilla server can be found he http://filezilla.sourceforge.net/ -- remove 999 in order to email me |
#11
|
|||
|
|||
Is software firewall nessasery if hardware is available?
ISA Server for one.
Personally, I don't use software firewalls alone on servers. Matt Gibson - GSEC "paul dallaire" wrote in message .. . HI! what would you suggest as a more powerful software firewall meant for servers. If you can give me a few programs names for me to check out.? "Phil Agcaoili" wrote in message ... To answer your original question (Is software firewall nessasery if hardware is available?), you already have a hardware firewall, the D-Link 604 and *maybe* you need one on the XP machine if it's running IIS, but I would at least run URLScan on your IIS server. You're on a DSL network and it sounds like it's for your small business or home. I don't suggest anything super expensive, but effective. The DLink is OK for home use as a firewall, but it's the bare minimum as firewalls go. Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class firewalls for small medium business. For the XP system running IIS, the XP SP2 firewall is sufficient, but know that it will only protect you from ingress (inbound) threats. Once you get malware on that system, it can talk out of it all day long. At that point, you switch to a more powerful software firewall meant for servers. For your recent question about the DMZ: 1. No, you do not have a DMZ. Typical DMZs look like: Multi-homed Firewall/DMZ Design Internet---FW--intranet | DMZ OR Sandwich DMZ Design I---FW--DMZ--FW--i You have neither, you have: I--FW (DLink)--i (where your XP/IIS server and 98 systems are) Your server is directly connected to your end systems and cannot be isolated by the hardware firewall. This is the reason why people are saying to add a software firewall--isolation and threat mitigation. There are a ton of great firewall books that you may want to read. Good luck! Hope this helps. "paul dallaire" wrote: OK since I am not sure if it is DMZ here is my configuration. tell what it is. My DSL modem's main connection Rs2/32 is plug into the main port in my D-Link 604 router ( Internet Broadband Router). then the other 2 computers are coming out of the routers child ports. First computer running WinXP pro was used to create the network disk to configure the win98 computer. both computers are sharing sources and are networked together. Both computers are sharing the modem through the router. BUT its the WinXP PRo that starts the DSL modem connection. ( In other words if the winxp pro computer goes down then the win98 computer can NO longer connect to the internet.) With this explanation What is this configuration called? is this a DMZ What firewall software could be used to help me if needed at first? "Phil Agcaoili" wrote in message ... Responses below. "paul dallaire" wrote: HI! thanks for the response. what do you suggest as a host firewall for my IIS server? It depends if your Web server is in a DMZ (protected network behind a firewall but isolated from your intranet) or connected to your internal network. If it's in a DMZ, the appliance firewall is good enough for starters. This would be good enough for most networks. An added layer of host firewall would help on your Web server if there are other devices in the DMZ. If one of those devices ever got hacked, you know that the Web server has another firewall to defend attacks from it's neighboring DMZ servers. If you go this uber-secure route, Windows 2003 has a built-in firewall that can block ingress (inbound) attacks. That should do it. Although you could go nuts and run a CheckPoint or other similar Enterprise-class firewall right on that system, BUT it's not worth it. What is a URLscan and where can I look for the software? It has saved a bunch of my client's booties and is an awesome Microsoft FREE application-- (if only Apache had this software) http://www.microsoft.com/technet/sec...s/urlscan.mspx Description of both tools: http://www.securityfocus.com/infocus/1755 http://www.microsoft.com/technet/sec.../locktool.mspx What is a SMB? Small-Medium Business |
#12
|
|||
|
|||
Is software firewall nessasery if hardware is available?
It depends on the application.
Are you a Small-Medium Business or SOHO? Enterprise? For SOHO and SMB use: Microsoft ISA or you can run the built-in firewall for win2k3 and XP. For Enterprise use: Microsoft ISA or you can run commercial quality firewall on the server itself--Check Point Firewall-1 (although it's very expensive and probably overkill) I am just going by the title of this thread, but if I were hit the brakes for a moment, I'd suggest a different route for Web server security in conjunction with IIS Lockdown and URLScan--Server Intrusion Prevention Systems (IPS). Here are some technologies to consider, my favorite being Sana Security Primary Response: http://www.sanasecurity.com/ I've tried BlackICE/RealSecure Server Sensor and Okena, but they really play havoc on the stability of a production network. http://www.iss.net/products_services...tor_server.php http://cisco.com/en/US/products/sw/s...057/index.html When deploying these solutions, I highly suggest using them on learning mode with alerts, whcih basically relegates this IPS software into an Intrusion Detection System (IDS). Other IDS / IPS - Host-based technology: Cisco Security Agent (fka Okena) - v 4.0 Enterays Dragon Squire - v5.0, 6.x ISS RealSecure Server Sensor - v5.5, 6.0, 7.0 McAfee Entercept - v 4.x, 5.0 Nagios.org - v1.0 NFR HID - v1.0 Symantec Host IDS (fka ITA) - v3.6 Sana Primary Response – v2.0 "paul dallaire" wrote: HI! what would you suggest as a more powerful software firewall meant for servers. If you can give me a few programs names for me to check out.? "Phil Agcaoili" wrote in message ... To answer your original question (Is software firewall nessasery if hardware is available?), you already have a hardware firewall, the D-Link 604 and *maybe* you need one on the XP machine if it's running IIS, but I would at least run URLScan on your IIS server. You're on a DSL network and it sounds like it's for your small business or home. I don't suggest anything super expensive, but effective. The DLink is OK for home use as a firewall, but it's the bare minimum as firewalls go. Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class firewalls for small medium business. For the XP system running IIS, the XP SP2 firewall is sufficient, but know that it will only protect you from ingress (inbound) threats. Once you get malware on that system, it can talk out of it all day long. At that point, you switch to a more powerful software firewall meant for servers. For your recent question about the DMZ: 1. No, you do not have a DMZ. Typical DMZs look like: Multi-homed Firewall/DMZ Design Internet---FW--intranet | DMZ OR Sandwich DMZ Design I---FW--DMZ--FW--i You have neither, you have: I--FW (DLink)--i (where your XP/IIS server and 98 systems are) Your server is directly connected to your end systems and cannot be isolated by the hardware firewall. This is the reason why people are saying to add a software firewall--isolation and threat mitigation. There are a ton of great firewall books that you may want to read. Good luck! Hope this helps. "paul dallaire" wrote: OK since I am not sure if it is DMZ here is my configuration. tell what it is. My DSL modem's main connection Rs2/32 is plug into the main port in my D-Link 604 router ( Internet Broadband Router). then the other 2 computers are coming out of the routers child ports. First computer running WinXP pro was used to create the network disk to configure the win98 computer. both computers are sharing sources and are networked together. Both computers are sharing the modem through the router. BUT its the WinXP PRo that starts the DSL modem connection. ( In other words if the winxp pro computer goes down then the win98 computer can NO longer connect to the internet.) With this explanation What is this configuration called? is this a DMZ What firewall software could be used to help me if needed at first? "Phil Agcaoili" wrote in message ... Responses below. "paul dallaire" wrote: HI! thanks for the response. what do you suggest as a host firewall for my IIS server? It depends if your Web server is in a DMZ (protected network behind a firewall but isolated from your intranet) or connected to your internal network. If it's in a DMZ, the appliance firewall is good enough for starters. This would be good enough for most networks. An added layer of host firewall would help on your Web server if there are other devices in the DMZ. If one of those devices ever got hacked, you know that the Web server has another firewall to defend attacks from it's neighboring DMZ servers. If you go this uber-secure route, Windows 2003 has a built-in firewall that can block ingress (inbound) attacks. That should do it. Although you could go nuts and run a CheckPoint or other similar Enterprise-class firewall right on that system, BUT it's not worth it. What is a URLscan and where can I look for the software? It has saved a bunch of my client's booties and is an awesome Microsoft FREE application-- (if only Apache had this software) http://www.microsoft.com/technet/sec...s/urlscan.mspx Description of both tools: http://www.securityfocus.com/infocus/1755 http://www.microsoft.com/technet/sec.../locktool.mspx What is a SMB? Small-Medium Business |
#13
|
|||
|
|||
Is software firewall nessasery if hardware is available?
HI! When you say IIS lockdown does this mean firewall protection?
Is Microsoft ISA an OS Server platform with firewall protection or is a add-on to an OS such as My WinXP pro or Server? "Phil Agcaoili" wrote in message ... It depends on the application. Are you a Small-Medium Business or SOHO? Enterprise? For SOHO and SMB use: Microsoft ISA or you can run the built-in firewall for win2k3 and XP. For Enterprise use: Microsoft ISA or you can run commercial quality firewall on the server itself--Check Point Firewall-1 (although it's very expensive and probably overkill) I am just going by the title of this thread, but if I were hit the brakes for a moment, I'd suggest a different route for Web server security in conjunction with IIS Lockdown and URLScan--Server Intrusion Prevention Systems (IPS). Here are some technologies to consider, my favorite being Sana Security Primary Response: http://www.sanasecurity.com/ I've tried BlackICE/RealSecure Server Sensor and Okena, but they really play havoc on the stability of a production network. http://www.iss.net/products_services...tor_server.php http://cisco.com/en/US/products/sw/s...057/index.html When deploying these solutions, I highly suggest using them on learning mode with alerts, whcih basically relegates this IPS software into an Intrusion Detection System (IDS). Other IDS / IPS - Host-based technology: Cisco Security Agent (fka Okena) - v 4.0 Enterays Dragon Squire - v5.0, 6.x ISS RealSecure Server Sensor - v5.5, 6.0, 7.0 McAfee Entercept - v 4.x, 5.0 Nagios.org - v1.0 NFR HID - v1.0 Symantec Host IDS (fka ITA) - v3.6 Sana Primary Response - v2.0 "paul dallaire" wrote: HI! what would you suggest as a more powerful software firewall meant for servers. If you can give me a few programs names for me to check out.? "Phil Agcaoili" wrote in message ... To answer your original question (Is software firewall nessasery if hardware is available?), you already have a hardware firewall, the D-Link 604 and *maybe* you need one on the XP machine if it's running IIS, but I would at least run URLScan on your IIS server. You're on a DSL network and it sounds like it's for your small business or home. I don't suggest anything super expensive, but effective. The DLink is OK for home use as a firewall, but it's the bare minimum as firewalls go. Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class firewalls for small medium business. For the XP system running IIS, the XP SP2 firewall is sufficient, but know that it will only protect you from ingress (inbound) threats. Once you get malware on that system, it can talk out of it all day long. At that point, you switch to a more powerful software firewall meant for servers. For your recent question about the DMZ: 1. No, you do not have a DMZ. Typical DMZs look like: Multi-homed Firewall/DMZ Design Internet---FW--intranet | DMZ OR Sandwich DMZ Design I---FW--DMZ--FW--i You have neither, you have: I--FW (DLink)--i (where your XP/IIS server and 98 systems are) Your server is directly connected to your end systems and cannot be isolated by the hardware firewall. This is the reason why people are saying to add a software firewall--isolation and threat mitigation. There are a ton of great firewall books that you may want to read. Good luck! Hope this helps. "paul dallaire" wrote: OK since I am not sure if it is DMZ here is my configuration. tell what it is. My DSL modem's main connection Rs2/32 is plug into the main port in my D-Link 604 router ( Internet Broadband Router). then the other 2 computers are coming out of the routers child ports. First computer running WinXP pro was used to create the network disk to configure the win98 computer. both computers are sharing sources and are networked together. Both computers are sharing the modem through the router. BUT its the WinXP PRo that starts the DSL modem connection. ( In other words if the winxp pro computer goes down then the win98 computer can NO longer connect to the internet.) With this explanation What is this configuration called? is this a DMZ What firewall software could be used to help me if needed at first? "Phil Agcaoili" wrote in message ... Responses below. "paul dallaire" wrote: HI! thanks for the response. what do you suggest as a host firewall for my IIS server? It depends if your Web server is in a DMZ (protected network behind a firewall but isolated from your intranet) or connected to your internal network. If it's in a DMZ, the appliance firewall is good enough for starters. This would be good enough for most networks. An added layer of host firewall would help on your Web server if there are other devices in the DMZ. If one of those devices ever got hacked, you know that the Web server has another firewall to defend attacks from it's neighboring DMZ servers. If you go this uber-secure route, Windows 2003 has a built-in firewall that can block ingress (inbound) attacks. That should do it. Although you could go nuts and run a CheckPoint or other similar Enterprise-class firewall right on that system, BUT it's not worth it. What is a URLscan and where can I look for the software? It has saved a bunch of my client's booties and is an awesome Microsoft FREE application-- (if only Apache had this software) http://www.microsoft.com/technet/sec...s/urlscan.mspx Description of both tools: http://www.securityfocus.com/infocus/1755 http://www.microsoft.com/technet/sec.../locktool.mspx What is a SMB? Small-Medium Business |
#14
|
|||
|
|||
Is software firewall nessasery if hardware is available?
HI! Thanks allot for all the info. I will read up on things.
Thanks again for all your help Paul "Leythos" wrote in message news On Mon, 14 Feb 2005 16:09:25 -0500, paul dallaire wrote: HI! Why would you call the d-link a NAT box ? why would they list it as a Router? can you explain I don't understand. The 604 is just a ROUTER that provides NAT, it's not a firewall, look up what makes a firewall a firewall sometime. Those types of devices get marketed as what they feel they can get away with. I won't go into what a router is, what NAT is, or what a firewall appliance is, you can google for all of that. I do under now about isolating the two.. what would you recommend as a good router that is low price but good for my situation as a starter. I will in the future get a good hardware firewall but for now I would like decent protection. Any of the cheap units, the under $300 range, offer the same features for the most part - they are all just NAT boxes. There is no cheap SOHO single router like the 604 that provides for a full isolated DMZ and LAN areas. The separation is critical in protecting the LAN from the DMZ. As I showed in the diagram you can build your own using two cheap routers in series with each other - the DMZ area is the first router inside the network and where you put the public machines, the LAN area is on the other side of the second router. another thing if I do get another good router can I still use the d-links firewall between the LAN part as the other more advanced firewall filters the IIS Servers connections and other Pub connections? The D-Link 604 is not a firewall, it's a router with NAT. You could use two D-Link 604 units to build your LAN/DMZ just like I show below (in the quoted text). You just need to make sure that each network is a different IP range. Firewall appliances are costly, starting units run $400+ on average, most of the good ones run $1700+. Since you are only using a workstation OS and not a server you've not invested a lot, so a dual router solution would protect you well enough as long as you lock-down the publicly accessed system. "Leythos" wrote in message news On Mon, 14 Feb 2005 12:11:17 -0500, paul dallaire wrote: HI! thanks for the response. Its tell in the docs how to setup a set FTP software. IF it does not support it then why have the docs on it? I am running WIn XP Pro Sp2. not server. I had a suspicion that you were running a workstation instead of a server. You're still in the same boat, you also risk your other computers should the public one become compromised. Your 604 router is just a simple NAT box with no real firewall installed and no means to have two network segments - we would call one segment the LAN and the other the DMZ - typically there is none or little connection between the DMZ and the LAN, and your non-public computers sit in the LAN segment. With this type of setup your computers in the DMZ can't reach the computers in the LAN should a DMZ computer become compromised. There are ways to build a cheap LAN/DMZ, but you need two routers: INTERNET | ROUTER 1 | DMZ SEGMENT | 192.168.0.0/24 ROUTER 2 | LAN SEGMENT | 192.168.1.0/24 In this setup your LAN computers are able to access the DMZ WEB/FTP computers, but, unless you make ports back into ROUTER 2, the DMZ computers can't reach the LAN segment. All computers can reach the Internet through the routers. Now, you do understand that your Workstation is limited to 10 sessions at a time - meaning that your web site is very limited in how many users can access it? You might also want to consider using something other than the built-in MS FTP service - Take a look at FileZilla, it's an OpenSource FTP Server that runs on the Windows Platform and is much easier and feature rich than the MS FTP service - and it doesn't require a Windows User Account - since you're not going to allow anonymous access to the FTP site (it would be bad to allow FTP Write access to the world). FileZilla server can be found he http://filezilla.sourceforge.net/ -- remove 999 in order to email me -- remove 999 in order to email me |
#15
|
|||
|
|||
Is software firewall nessasery if hardware is available?
HI! ok good I will do that. and thanks again for all the information that
you have given me "Leythos" wrote in message news On Mon, 14 Feb 2005 19:12:14 -0500, paul dallaire wrote: HI! When you say IIS lockdown does this mean firewall protection? Go to the MS web site and search for "IIS LOCKDOWN", it's a tool/method used to secure IIS, has nothing to do with firewalls. Is Microsoft ISA an OS Server platform with firewall protection or is a add-on to an OS such as My WinXP pro or Server? ISA is a firewall that runs on a Server, I do not think it will run on Windows XP Home or Prof - there is no Windows XP Server version. -- remove 999 in order to email me |
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Dialog boxes come up really slow since SP2 | Renee | Windows Service Pack 2 | 12 | March 2nd 05 07:43 PM |
Computer Update | Gerald Evans | The Basics | 5 | January 17th 05 09:54 PM |
SP2 and very slow bootup | pierreangiel | Windows Service Pack 2 | 2 | December 14th 04 11:33 PM |
Best way to install SP2 ?? which is ?? | Avid Gamer | Windows Service Pack 2 | 8 | September 25th 04 08:58 PM |
Firewall hardware vs. software | Anthony Giorgianni | General XP issues or comments | 12 | August 5th 04 08:02 PM |