Is software firewall nessasery if hardware is available?

HI! I have being having allot of trouble getting the personal firewall of
(Norton Internet Security) to work with IIS server.

with the PF turned off all is ok. its fine through my router and with my
shared DLS connection but once its on both IE and my FTP client just
timesout.

I have d-link router with a built in firewall. is this good enough? I am
just going through all this for an overkill?

I have the virus scanner/adware scanner/spyware scanner/ and all is fine
right now.

what do you guys think?

Adding to both responses, defense in depth is critical and NO your DLink
firewall is not enough.

I suggest a true appliance firewall. Depending on your budget and number of
users, you can get away with a SMB firewall like a Netscreen, Cisco PIX, or
Nokia Firewall for your network defense.

I suggest a host firewall on your IIS server.

And I suggest URLScan to proactively defend your IIS server.

There are no shortcuts to security, especially on an Internet-facing Web
server.

"paul dallaire" wrote:

HI! I have being having allot of trouble getting the personal firewall of
(Norton Internet Security) to work with IIS server.

with the PF turned off all is ok. its fine through my router and with my
shared DLS connection but once its on both IE and my FTP client just
timesout.

I have d-link router with a built in firewall. is this good enough? I am
just going through all this for an overkill?

I have the virus scanner/adware scanner/spyware scanner/ and all is fine
right now.

what do you guys think?

HI! thanks for the response. what do you suggest as a host firewall for my
IIS server?
What is a URLscan and where can I look for the software?
What is a SMB?

"Phil Agcaoili" wrote in message
...
Adding to both responses, defense in depth is critical and NO your DLink
firewall is not enough.

I suggest a true appliance firewall. Depending on your budget and number
of
users, you can get away with a SMB firewall like a Netscreen, Cisco PIX,
or
Nokia Firewall for your network defense.

I suggest a host firewall on your IIS server.

And I suggest URLScan to proactively defend your IIS server.

There are no shortcuts to security, especially on an Internet-facing Web
server.

"paul dallaire" wrote:

HI! I have being having allot of trouble getting the personal firewall of
(Norton Internet Security) to work with IIS server.

with the PF turned off all is ok. its fine through my router and with my
shared DLS connection but once its on both IE and my FTP client just
timesout.

I have d-link router with a built in firewall. is this good enough? I am
just going through all this for an overkill?

I have the virus scanner/adware scanner/spyware scanner/ and all is fine
right now.

what do you guys think?

HI! thanks for the response. Its tell in the docs how to setup a set FTP
software. IF it does not support it then why have the docs on it?

I am running WIn XP Pro Sp2. not server.


"Leythos" wrote in message
news
On Mon, 14 Feb 2005 03:31:28 -0500, paul dallaire wrote:

HI! I have being having allot of trouble getting the personal firewall of
(Norton Internet Security) to work with IIS server.

with the PF turned off all is ok. its fine through my router and with my
shared DLS connection but once its on both IE and my FTP client just
timesout.

NIS was not designed to be run on a Server.

I have d-link router with a built in firewall. is this good enough? I am
just going through all this for an overkill?

Your D-Link router is probably just a NAT box and not really a firewall.
The router will allow you to pass 80/444/FTP ports through to the server,
but it's not going to do much in the way a firewall would.

I have the virus scanner/adware scanner/spyware scanner/ and all is fine
right now.

what do you guys think?

I suspect that you don't have server quality Virus Scanner installed, just
a client virus scanner, you've probably not run the MBSA to determine if
the machine is locked down, probably not disabled services you don't want
people using, and you should have renamed the Administrator account and
forced LARGE NASTY passwords on all accounts on this box.

Look at some of the MS articles on securing a web-server and make sure you
follow their directions or your going to have a compromised machine in
short time.

--

remove 999 in order to email me

Responses below.

"paul dallaire" wrote:

HI! thanks for the response. what do you suggest as a host firewall for my
IIS server?

It depends if your Web server is in a DMZ (protected network behind a
firewall but isolated from your intranet) or connected to your internal
network.

If it's in a DMZ, the appliance firewall is good enough for starters. This
would be good enough for most networks.

An added layer of host firewall would help on your Web server if there are
other devices in the DMZ. If one of those devices ever got hacked, you know
that the Web server has another firewall to defend attacks from it's
neighboring DMZ servers.

If you go this uber-secure route, Windows 2003 has a built-in firewall that
can block ingress (inbound) attacks. That should do it. Although you could
go nuts and run a CheckPoint or other similar Enterprise-class firewall right
on that system, BUT it's not worth it.


What is a URLscan and where can I look for the software?

It has saved a bunch of my client's booties and is an awesome Microsoft FREE
application-- (if only Apache had this software)
http://www.microsoft.com/technet/sec...s/urlscan.mspx
Description of both tools: http://www.securityfocus.com/infocus/1755
http://www.microsoft.com/technet/sec.../locktool.mspx


What is a SMB?
Small-Medium Business

Responses below.

"paul dallaire" wrote:

HI! thanks for the response. what do you suggest as a host firewall for my
IIS server?

It depends if your Web server is in a DMZ (protected network behind a
firewall but isolated from your intranet) or connected to your internal
network.

If it's in a DMZ, the appliance firewall is good enough for starters. This
would be good enough for most networks.

An added layer of host firewall would help on your Web server if there are
other devices in the DMZ. If one of those devices ever got hacked, you know
that the Web server has another firewall to defend attacks from it's
neighboring DMZ servers.

If you go this uber-secure route, Windows 2003 has a built-in firewall that
can block ingress (inbound) attacks. That should do it. Although you could
go nuts and run a CheckPoint or other similar Enterprise-class firewall right
on that system, BUT it's not worth it.


What is a URLscan and where can I look for the software?

It has saved a bunch of my client's booties and is an awesome Microsoft FREE
application-- (if only Apache had this software)
http://www.microsoft.com/technet/sec...s/urlscan.mspx
Description of both tools: http://www.securityfocus.com/infocus/1755
http://www.microsoft.com/technet/sec.../locktool.mspx


What is a SMB?
Small-Medium Business

OK since I am not sure if it is DMZ here is my configuration. tell what it
is.

My DSL modem's main connection Rs2/32 is plug into the main port in my
D-Link 604 router ( Internet Broadband Router). then the other 2 computers
are coming out of the routers child ports.

First computer running WinXP pro was used to create the network disk to
configure the win98 computer.
both computers are sharing sources and are networked together.

Both computers are sharing the modem through the router. BUT its the WinXP
PRo that starts the DSL modem connection. ( In other words if the winxp pro
computer goes down then the win98 computer can NO longer connect to the
internet.)

With this explanation What is this configuration called? is this a DMZ
What firewall software could be used to help me if needed at first?



"Phil Agcaoili" wrote in message
...
Responses below.

"paul dallaire" wrote:

HI! thanks for the response. what do you suggest as a host firewall for
my
IIS server?

It depends if your Web server is in a DMZ (protected network behind a
firewall but isolated from your intranet) or connected to your internal
network.

If it's in a DMZ, the appliance firewall is good enough for starters. This
would be good enough for most networks.

An added layer of host firewall would help on your Web server if there are
other devices in the DMZ. If one of those devices ever got hacked, you
know
that the Web server has another firewall to defend attacks from it's
neighboring DMZ servers.

If you go this uber-secure route, Windows 2003 has a built-in firewall
that
can block ingress (inbound) attacks. That should do it. Although you
could
go nuts and run a CheckPoint or other similar Enterprise-class firewall
right
on that system, BUT it's not worth it.


What is a URLscan and where can I look for the software?

It has saved a bunch of my client's booties and is an awesome Microsoft
FREE
application-- (if only Apache had this software)
http://www.microsoft.com/technet/sec...s/urlscan.mspx
Description of both tools: http://www.securityfocus.com/infocus/1755
http://www.microsoft.com/technet/sec.../locktool.mspx


What is a SMB?
Small-Medium Business

To answer your original question (Is software firewall nessasery if hardware
is available?), you already have a hardware firewall, the D-Link 604 and
*maybe* you need one on the XP machine if it's running IIS, but I would at
least run URLScan on your IIS server.

You're on a DSL network and it sounds like it's for your small business or
home. I don't suggest anything super expensive, but effective. The DLink is
OK for home use as a firewall, but it's the bare minimum as firewalls go.
Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class
firewalls for small medium business.

For the XP system running IIS, the XP SP2 firewall is sufficient, but know
that it will only protect you from ingress (inbound) threats. Once you get
malware on that system, it can talk out of it all day long. At that point,
you switch to a more powerful software firewall meant for servers.


For your recent question about the DMZ:
1. No, you do not have a DMZ.

Typical DMZs look like:

Multi-homed Firewall/DMZ Design
Internet---FW--intranet
|
DMZ

OR

Sandwich DMZ Design
I---FW--DMZ--FW--i

You have neither, you have:
I--FW (DLink)--i (where your XP/IIS server and 98 systems are)

Your server is directly connected to your end systems and cannot be isolated
by the hardware firewall. This is the reason why people are saying to add a
software firewall--isolation and threat mitigation.

There are a ton of great firewall books that you may want to read.

Good luck!

Hope this helps.

"paul dallaire" wrote:

OK since I am not sure if it is DMZ here is my configuration. tell what it
is.

My DSL modem's main connection Rs2/32 is plug into the main port in my
D-Link 604 router ( Internet Broadband Router). then the other 2 computers
are coming out of the routers child ports.

First computer running WinXP pro was used to create the network disk to
configure the win98 computer.
both computers are sharing sources and are networked together.

Both computers are sharing the modem through the router. BUT its the WinXP
PRo that starts the DSL modem connection. ( In other words if the winxp pro
computer goes down then the win98 computer can NO longer connect to the
internet.)

With this explanation What is this configuration called? is this a DMZ
What firewall software could be used to help me if needed at first?



"Phil Agcaoili" wrote in message
...
Responses below.

"paul dallaire" wrote:

HI! thanks for the response. what do you suggest as a host firewall for
my
IIS server?

It depends if your Web server is in a DMZ (protected network behind a
firewall but isolated from your intranet) or connected to your internal
network.

If it's in a DMZ, the appliance firewall is good enough for starters. This
would be good enough for most networks.

An added layer of host firewall would help on your Web server if there are
other devices in the DMZ. If one of those devices ever got hacked, you
know
that the Web server has another firewall to defend attacks from it's
neighboring DMZ servers.

If you go this uber-secure route, Windows 2003 has a built-in firewall
that
can block ingress (inbound) attacks. That should do it. Although you
could
go nuts and run a CheckPoint or other similar Enterprise-class firewall
right
on that system, BUT it's not worth it.


What is a URLscan and where can I look for the software?

It has saved a bunch of my client's booties and is an awesome Microsoft
FREE
application-- (if only Apache had this software)
http://www.microsoft.com/technet/sec...s/urlscan.mspx
Description of both tools: http://www.securityfocus.com/infocus/1755
http://www.microsoft.com/technet/sec.../locktool.mspx


What is a SMB?
Small-Medium Business

HI! what would you suggest as a more powerful software firewall meant for
servers.
If you can give me a few programs names for me to check out.?



"Phil Agcaoili" wrote in message
...
To answer your original question (Is software firewall nessasery if
hardware
is available?), you already have a hardware firewall, the D-Link 604 and
*maybe* you need one on the XP machine if it's running IIS, but I would at
least run URLScan on your IIS server.

You're on a DSL network and it sounds like it's for your small business or
home. I don't suggest anything super expensive, but effective. The DLink
is
OK for home use as a firewall, but it's the bare minimum as firewalls go.
Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class
firewalls for small medium business.

For the XP system running IIS, the XP SP2 firewall is sufficient, but know
that it will only protect you from ingress (inbound) threats. Once you
get
malware on that system, it can talk out of it all day long. At that point,
you switch to a more powerful software firewall meant for servers.


For your recent question about the DMZ:
1. No, you do not have a DMZ.

Typical DMZs look like:

Multi-homed Firewall/DMZ Design
Internet---FW--intranet
|
DMZ

OR

Sandwich DMZ Design
I---FW--DMZ--FW--i

You have neither, you have:
I--FW (DLink)--i (where your XP/IIS server and 98 systems are)

Your server is directly connected to your end systems and cannot be
isolated
by the hardware firewall. This is the reason why people are saying to add
a
software firewall--isolation and threat mitigation.

There are a ton of great firewall books that you may want to read.

Good luck!

Hope this helps.

"paul dallaire" wrote:

OK since I am not sure if it is DMZ here is my configuration. tell what
it
is.

My DSL modem's main connection Rs2/32 is plug into the main port in my
D-Link 604 router ( Internet Broadband Router). then the other 2
computers
are coming out of the routers child ports.

First computer running WinXP pro was used to create the network disk to
configure the win98 computer.
both computers are sharing sources and are networked together.

Both computers are sharing the modem through the router. BUT its the
WinXP
PRo that starts the DSL modem connection. ( In other words if the winxp
pro
computer goes down then the win98 computer can NO longer connect to the
internet.)

With this explanation What is this configuration called? is this a DMZ
What firewall software could be used to help me if needed at first?



"Phil Agcaoili" wrote in message
...
Responses below.

"paul dallaire" wrote:

HI! thanks for the response. what do you suggest as a host firewall
for
my
IIS server?

It depends if your Web server is in a DMZ (protected network behind a
firewall but isolated from your intranet) or connected to your internal
network.

If it's in a DMZ, the appliance firewall is good enough for starters.
This
would be good enough for most networks.

An added layer of host firewall would help on your Web server if there
are
other devices in the DMZ. If one of those devices ever got hacked, you
know
that the Web server has another firewall to defend attacks from it's
neighboring DMZ servers.

If you go this uber-secure route, Windows 2003 has a built-in firewall
that
can block ingress (inbound) attacks. That should do it. Although you
could
go nuts and run a CheckPoint or other similar Enterprise-class firewall
right
on that system, BUT it's not worth it.


What is a URLscan and where can I look for the software?

It has saved a bunch of my client's booties and is an awesome Microsoft
FREE
application-- (if only Apache had this software)
http://www.microsoft.com/technet/sec...s/urlscan.mspx
Description of both tools: http://www.securityfocus.com/infocus/1755
http://www.microsoft.com/technet/sec.../locktool.mspx


What is a SMB?
Small-Medium Business

HI! Why would you call the d-link a NAT box ? why would they list it as a
Router? can you explain I don't understand.

I do under now about isolating the two.. what would you recommend as a good
router that is low price but good for my situation as a starter. I will in
the future get a good hardware firewall but for now I would like decent
protection.

another thing if I do get another good router can I still use the d-links
firewall between the LAN part as the other more advanced firewall filters
the IIS Servers connections and other Pub connections?



"Leythos" wrote in message
news
On Mon, 14 Feb 2005 12:11:17 -0500, paul dallaire wrote:

HI! thanks for the response. Its tell in the docs how to setup a set FTP
software. IF it does not support it then why have the docs on it?

I am running WIn XP Pro Sp2. not server.

I had a suspicion that you were running a workstation instead of a server.
You're still in the same boat, you also risk your other computers should
the public one become compromised.

Your 604 router is just a simple NAT box with no real firewall installed
and no means to have two network segments - we would call one segment the
LAN and the other the DMZ - typically there is none or little connection
between the DMZ and the LAN, and your non-public computers sit in the LAN
segment. With this type of setup your computers in the DMZ can't reach the
computers in the LAN should a DMZ computer become compromised.

There are ways to build a cheap LAN/DMZ, but you need two routers:

INTERNET
|
ROUTER 1
| DMZ SEGMENT
| 192.168.0.0/24
ROUTER 2
| LAN SEGMENT
| 192.168.1.0/24

In this setup your LAN computers are able to access the DMZ WEB/FTP
computers, but, unless you make ports back into ROUTER 2, the DMZ
computers can't reach the LAN segment. All computers can reach the
Internet through the routers.

Now, you do understand that your Workstation is limited to 10 sessions at
a time - meaning that your web site is very limited in how many users can
access it?

You might also want to consider using something other than the built-in MS
FTP service - Take a look at FileZilla, it's an OpenSource FTP Server
that runs on the Windows Platform and is much easier and feature rich than
the MS FTP service - and it doesn't require a Windows User Account - since
you're not going to allow anonymous access to the FTP site (it would be
bad to allow FTP Write access to the world).

FileZilla server can be found he
http://filezilla.sourceforge.net/

--

remove 999 in order to email me

ISA Server for one.

Personally, I don't use software firewalls alone on servers.

Matt Gibson - GSEC

"paul dallaire" wrote in message
.. .
HI! what would you suggest as a more powerful software firewall meant for
servers.
If you can give me a few programs names for me to check out.?



"Phil Agcaoili" wrote in message
...
To answer your original question (Is software firewall nessasery if
hardware
is available?), you already have a hardware firewall, the D-Link 604 and
*maybe* you need one on the XP machine if it's running IIS, but I would
at
least run URLScan on your IIS server.

You're on a DSL network and it sounds like it's for your small business
or
home. I don't suggest anything super expensive, but effective. The
DLink is
OK for home use as a firewall, but it's the bare minimum as firewalls go.
Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class
firewalls for small medium business.

For the XP system running IIS, the XP SP2 firewall is sufficient, but
know
that it will only protect you from ingress (inbound) threats. Once you
get
malware on that system, it can talk out of it all day long. At that
point,
you switch to a more powerful software firewall meant for servers.


For your recent question about the DMZ:
1. No, you do not have a DMZ.

Typical DMZs look like:

Multi-homed Firewall/DMZ Design
Internet---FW--intranet
|
DMZ

OR

Sandwich DMZ Design
I---FW--DMZ--FW--i

You have neither, you have:
I--FW (DLink)--i (where your XP/IIS server and 98 systems are)

Your server is directly connected to your end systems and cannot be
isolated
by the hardware firewall. This is the reason why people are saying to add
a
software firewall--isolation and threat mitigation.

There are a ton of great firewall books that you may want to read.

Good luck!

Hope this helps.

"paul dallaire" wrote:

OK since I am not sure if it is DMZ here is my configuration. tell what
it
is.

My DSL modem's main connection Rs2/32 is plug into the main port in my
D-Link 604 router ( Internet Broadband Router). then the other 2
computers
are coming out of the routers child ports.

First computer running WinXP pro was used to create the network disk to
configure the win98 computer.
both computers are sharing sources and are networked together.

Both computers are sharing the modem through the router. BUT its the
WinXP
PRo that starts the DSL modem connection. ( In other words if the winxp
pro
computer goes down then the win98 computer can NO longer connect to the
internet.)

With this explanation What is this configuration called? is this a DMZ
What firewall software could be used to help me if needed at first?



"Phil Agcaoili" wrote in
message
...
Responses below.

"paul dallaire" wrote:

HI! thanks for the response. what do you suggest as a host firewall
for
my
IIS server?

It depends if your Web server is in a DMZ (protected network behind a
firewall but isolated from your intranet) or connected to your
internal
network.

If it's in a DMZ, the appliance firewall is good enough for starters.
This
would be good enough for most networks.

An added layer of host firewall would help on your Web server if there
are
other devices in the DMZ. If one of those devices ever got hacked,
you
know
that the Web server has another firewall to defend attacks from it's
neighboring DMZ servers.

If you go this uber-secure route, Windows 2003 has a built-in firewall
that
can block ingress (inbound) attacks. That should do it. Although you
could
go nuts and run a CheckPoint or other similar Enterprise-class
firewall
right
on that system, BUT it's not worth it.


What is a URLscan and where can I look for the software?

It has saved a bunch of my client's booties and is an awesome
Microsoft
FREE
application-- (if only Apache had this software)
http://www.microsoft.com/technet/sec...s/urlscan.mspx
Description of both tools: http://www.securityfocus.com/infocus/1755
http://www.microsoft.com/technet/sec.../locktool.mspx


What is a SMB?
Small-Medium Business

It depends on the application.

Are you a Small-Medium Business or SOHO?
Enterprise?

For SOHO and SMB use:
Microsoft ISA or you can run the built-in firewall for win2k3 and XP.

For Enterprise use:
Microsoft ISA or you can run commercial quality firewall on the server
itself--Check Point Firewall-1 (although it's very expensive and probably
overkill)


I am just going by the title of this thread, but if I were hit the brakes
for a moment, I'd suggest a different route for Web server security in
conjunction with IIS Lockdown and URLScan--Server Intrusion Prevention
Systems (IPS).

Here are some technologies to consider, my favorite being Sana Security
Primary Response:
http://www.sanasecurity.com/

I've tried BlackICE/RealSecure Server Sensor and Okena, but they really play
havoc on the stability of a production network.
http://www.iss.net/products_services...tor_server.php
http://cisco.com/en/US/products/sw/s...057/index.html

When deploying these solutions, I highly suggest using them on learning mode
with alerts, whcih basically relegates this IPS software into an Intrusion
Detection System (IDS).

Other IDS / IPS - Host-based technology:
Cisco Security Agent (fka Okena) - v 4.0
Enterays Dragon Squire - v5.0, 6.x
ISS RealSecure Server Sensor - v5.5, 6.0, 7.0
McAfee Entercept - v 4.x, 5.0
Nagios.org - v1.0
NFR HID - v1.0
Symantec Host IDS (fka ITA) - v3.6
Sana Primary Response – v2.0

"paul dallaire" wrote:

HI! what would you suggest as a more powerful software firewall meant for
servers.
If you can give me a few programs names for me to check out.?



"Phil Agcaoili" wrote in message
...
To answer your original question (Is software firewall nessasery if
hardware
is available?), you already have a hardware firewall, the D-Link 604 and
*maybe* you need one on the XP machine if it's running IIS, but I would at
least run URLScan on your IIS server.

You're on a DSL network and it sounds like it's for your small business or
home. I don't suggest anything super expensive, but effective. The DLink
is
OK for home use as a firewall, but it's the bare minimum as firewalls go.
Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class
firewalls for small medium business.

For the XP system running IIS, the XP SP2 firewall is sufficient, but know
that it will only protect you from ingress (inbound) threats. Once you
get
malware on that system, it can talk out of it all day long. At that point,
you switch to a more powerful software firewall meant for servers.


For your recent question about the DMZ:
1. No, you do not have a DMZ.

Typical DMZs look like:

Multi-homed Firewall/DMZ Design
Internet---FW--intranet
|
DMZ

OR

Sandwich DMZ Design
I---FW--DMZ--FW--i

You have neither, you have:
I--FW (DLink)--i (where your XP/IIS server and 98 systems are)

Your server is directly connected to your end systems and cannot be
isolated
by the hardware firewall. This is the reason why people are saying to add
a
software firewall--isolation and threat mitigation.

There are a ton of great firewall books that you may want to read.

Good luck!

Hope this helps.

"paul dallaire" wrote:

OK since I am not sure if it is DMZ here is my configuration. tell what
it
is.

My DSL modem's main connection Rs2/32 is plug into the main port in my
D-Link 604 router ( Internet Broadband Router). then the other 2
computers
are coming out of the routers child ports.

First computer running WinXP pro was used to create the network disk to
configure the win98 computer.
both computers are sharing sources and are networked together.

Both computers are sharing the modem through the router. BUT its the
WinXP
PRo that starts the DSL modem connection. ( In other words if the winxp
pro
computer goes down then the win98 computer can NO longer connect to the
internet.)

With this explanation What is this configuration called? is this a DMZ
What firewall software could be used to help me if needed at first?



"Phil Agcaoili" wrote in message
...
Responses below.

"paul dallaire" wrote:

HI! thanks for the response. what do you suggest as a host firewall
for
my
IIS server?

It depends if your Web server is in a DMZ (protected network behind a
firewall but isolated from your intranet) or connected to your internal
network.

If it's in a DMZ, the appliance firewall is good enough for starters.
This
would be good enough for most networks.

An added layer of host firewall would help on your Web server if there
are
other devices in the DMZ. If one of those devices ever got hacked, you
know
that the Web server has another firewall to defend attacks from it's
neighboring DMZ servers.

If you go this uber-secure route, Windows 2003 has a built-in firewall
that
can block ingress (inbound) attacks. That should do it. Although you
could
go nuts and run a CheckPoint or other similar Enterprise-class firewall
right
on that system, BUT it's not worth it.


What is a URLscan and where can I look for the software?

It has saved a bunch of my client's booties and is an awesome Microsoft
FREE
application-- (if only Apache had this software)
http://www.microsoft.com/technet/sec...s/urlscan.mspx
Description of both tools: http://www.securityfocus.com/infocus/1755
http://www.microsoft.com/technet/sec.../locktool.mspx


What is a SMB?
Small-Medium Business

HI! When you say IIS lockdown does this mean firewall protection?

Is Microsoft ISA an OS Server platform with firewall protection or is a
add-on to an OS such as My WinXP pro or Server?


"Phil Agcaoili" wrote in message
...
It depends on the application.

Are you a Small-Medium Business or SOHO?
Enterprise?

For SOHO and SMB use:
Microsoft ISA or you can run the built-in firewall for win2k3 and XP.

For Enterprise use:
Microsoft ISA or you can run commercial quality firewall on the server
itself--Check Point Firewall-1 (although it's very expensive and probably
overkill)


I am just going by the title of this thread, but if I were hit the brakes
for a moment, I'd suggest a different route for Web server security in
conjunction with IIS Lockdown and URLScan--Server Intrusion Prevention
Systems (IPS).

Here are some technologies to consider, my favorite being Sana Security
Primary Response:
http://www.sanasecurity.com/

I've tried BlackICE/RealSecure Server Sensor and Okena, but they really
play
havoc on the stability of a production network.
http://www.iss.net/products_services...tor_server.php
http://cisco.com/en/US/products/sw/s...057/index.html

When deploying these solutions, I highly suggest using them on learning
mode
with alerts, whcih basically relegates this IPS software into an Intrusion
Detection System (IDS).

Other IDS / IPS - Host-based technology:
Cisco Security Agent (fka Okena) - v 4.0
Enterays Dragon Squire - v5.0, 6.x
ISS RealSecure Server Sensor - v5.5, 6.0, 7.0
McAfee Entercept - v 4.x, 5.0
Nagios.org - v1.0
NFR HID - v1.0
Symantec Host IDS (fka ITA) - v3.6
Sana Primary Response - v2.0

"paul dallaire" wrote:

HI! what would you suggest as a more powerful software firewall meant for
servers.
If you can give me a few programs names for me to check out.?



"Phil Agcaoili" wrote in message
...
To answer your original question (Is software firewall nessasery if
hardware
is available?), you already have a hardware firewall, the D-Link 604
and
*maybe* you need one on the XP machine if it's running IIS, but I would
at
least run URLScan on your IIS server.

You're on a DSL network and it sounds like it's for your small business
or
home. I don't suggest anything super expensive, but effective. The
DLink
is
OK for home use as a firewall, but it's the bare minimum as firewalls
go.
Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class
firewalls for small medium business.

For the XP system running IIS, the XP SP2 firewall is sufficient, but
know
that it will only protect you from ingress (inbound) threats. Once you
get
malware on that system, it can talk out of it all day long. At that
point,
you switch to a more powerful software firewall meant for servers.


For your recent question about the DMZ:
1. No, you do not have a DMZ.

Typical DMZs look like:

Multi-homed Firewall/DMZ Design
Internet---FW--intranet
|
DMZ

OR

Sandwich DMZ Design
I---FW--DMZ--FW--i

You have neither, you have:
I--FW (DLink)--i (where your XP/IIS server and 98 systems are)

Your server is directly connected to your end systems and cannot be
isolated
by the hardware firewall. This is the reason why people are saying to
add
a
software firewall--isolation and threat mitigation.

There are a ton of great firewall books that you may want to read.

Good luck!

Hope this helps.

"paul dallaire" wrote:

OK since I am not sure if it is DMZ here is my configuration. tell
what
it
is.

My DSL modem's main connection Rs2/32 is plug into the main port in my
D-Link 604 router ( Internet Broadband Router). then the other 2
computers
are coming out of the routers child ports.

First computer running WinXP pro was used to create the network disk
to
configure the win98 computer.
both computers are sharing sources and are networked together.

Both computers are sharing the modem through the router. BUT its the
WinXP
PRo that starts the DSL modem connection. ( In other words if the
winxp
pro
computer goes down then the win98 computer can NO longer connect to
the
internet.)

With this explanation What is this configuration called? is this a DMZ
What firewall software could be used to help me if needed at first?



"Phil Agcaoili" wrote in
message
...
Responses below.

"paul dallaire" wrote:

HI! thanks for the response. what do you suggest as a host
firewall
for
my
IIS server?

It depends if your Web server is in a DMZ (protected network behind
a
firewall but isolated from your intranet) or connected to your
internal
network.

If it's in a DMZ, the appliance firewall is good enough for
starters.
This
would be good enough for most networks.

An added layer of host firewall would help on your Web server if
there
are
other devices in the DMZ. If one of those devices ever got hacked,
you
know
that the Web server has another firewall to defend attacks from it's
neighboring DMZ servers.

If you go this uber-secure route, Windows 2003 has a built-in
firewall
that
can block ingress (inbound) attacks. That should do it. Although
you
could
go nuts and run a CheckPoint or other similar Enterprise-class
firewall
right
on that system, BUT it's not worth it.


What is a URLscan and where can I look for the software?

It has saved a bunch of my client's booties and is an awesome
Microsoft
FREE
application-- (if only Apache had this software)
http://www.microsoft.com/technet/sec...s/urlscan.mspx
Description of both tools: http://www.securityfocus.com/infocus/1755
http://www.microsoft.com/technet/sec.../locktool.mspx


What is a SMB?
Small-Medium Business

HI! Thanks allot for all the info. I will read up on things.

Thanks again for all your help

Paul


"Leythos" wrote in message
news
On Mon, 14 Feb 2005 16:09:25 -0500, paul dallaire wrote:

HI! Why would you call the d-link a NAT box ? why would they list it as a
Router? can you explain I don't understand.

The 604 is just a ROUTER that provides NAT, it's not a firewall, look up
what makes a firewall a firewall sometime. Those types of devices get
marketed as what they feel they can get away with. I won't go into what a
router is, what NAT is, or what a firewall appliance is, you can google
for all of that.

I do under now about isolating the two.. what would you recommend as a
good
router that is low price but good for my situation as a starter. I will
in
the future get a good hardware firewall but for now I would like decent
protection.

Any of the cheap units, the under $300 range, offer the same features for
the most part - they are all just NAT boxes. There is no cheap SOHO single
router like the 604 that provides for a full isolated DMZ and LAN areas.
The separation is critical in protecting the LAN from the DMZ. As I showed
in the diagram you can build your own using two cheap routers in series
with each other - the DMZ area is the first router inside the network and
where you put the public machines, the LAN area is on the other side of
the second router.

another thing if I do get another good router can I still use the d-links
firewall between the LAN part as the other more advanced firewall filters
the IIS Servers connections and other Pub connections?

The D-Link 604 is not a firewall, it's a router with NAT. You could use
two D-Link 604 units to build your LAN/DMZ just like I show below (in the
quoted text). You just need to make sure that each network is a different
IP range.

Firewall appliances are costly, starting units run $400+ on average, most
of the good ones run $1700+. Since you are only using a workstation OS and
not a server you've not invested a lot, so a dual router solution would
protect you well enough as long as you lock-down the publicly accessed
system.


"Leythos" wrote in message
news
On Mon, 14 Feb 2005 12:11:17 -0500, paul dallaire wrote:

HI! thanks for the response. Its tell in the docs how to setup a set
FTP
software. IF it does not support it then why have the docs on it?

I am running WIn XP Pro Sp2. not server.

I had a suspicion that you were running a workstation instead of a
server.
You're still in the same boat, you also risk your other computers should
the public one become compromised.

Your 604 router is just a simple NAT box with no real firewall installed
and no means to have two network segments - we would call one segment
the
LAN and the other the DMZ - typically there is none or little connection
between the DMZ and the LAN, and your non-public computers sit in the
LAN
segment. With this type of setup your computers in the DMZ can't reach
the
computers in the LAN should a DMZ computer become compromised.

There are ways to build a cheap LAN/DMZ, but you need two routers:

INTERNET
|
ROUTER 1
| DMZ SEGMENT
| 192.168.0.0/24
ROUTER 2
| LAN SEGMENT
| 192.168.1.0/24

In this setup your LAN computers are able to access the DMZ WEB/FTP
computers, but, unless you make ports back into ROUTER 2, the DMZ
computers can't reach the LAN segment. All computers can reach the
Internet through the routers.

Now, you do understand that your Workstation is limited to 10 sessions
at
a time - meaning that your web site is very limited in how many users
can
access it?

You might also want to consider using something other than the built-in
MS
FTP service - Take a look at FileZilla, it's an OpenSource FTP Server
that runs on the Windows Platform and is much easier and feature rich
than
the MS FTP service - and it doesn't require a Windows User Account -
since
you're not going to allow anonymous access to the FTP site (it would be
bad to allow FTP Write access to the world).

FileZilla server can be found he
http://filezilla.sourceforge.net/

--

remove 999 in order to email me



--

remove 999 in order to email me

HI! ok good I will do that. and thanks again for all the information that
you have given me


"Leythos" wrote in message
news
On Mon, 14 Feb 2005 19:12:14 -0500, paul dallaire wrote:

HI! When you say IIS lockdown does this mean firewall protection?

Go to the MS web site and search for "IIS LOCKDOWN", it's a tool/method
used to secure IIS, has nothing to do with firewalls.

Is Microsoft ISA an OS Server platform with firewall protection or is a
add-on to an OS such as My WinXP pro or Server?

ISA is a firewall that runs on a Server, I do not think it will run on
Windows XP Home or Prof - there is no Windows XP Server version.

--

remove 999 in order to email me