whats a good firewall for win2k3?

Discussion in 'Windows Server Systems' started by Dark Atheist, Mar 16, 2008.

  1. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    have been asked this by a friend who has win2k3...seeing as i don't use win2k3 i cant really say
     
  2. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    Dark Atheist likes this.
  3. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    thanks :)

    edit: seems he forgot to tell me hes using x64 2k3 :/
     
  4. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    anything external to the machine running windows :)
     
  5. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    Amen.
     
  6. zeke_mo

    zeke_mo (value not set) Staff Member Political User Folding Team

    Messages:
    1,984
    Location:
    Placerville, CA
    Hardware firewall all the way
     
  7. _kC_

    _kC_ Moderator

    Messages:
    514
    is he actually using it as a 2k3 server (dns/ad/dhcp/smtp etc) ?
     
  8. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    yes - web ftp mail, he has an 8 port linksys router in the office
     
  9. _kC_

    _kC_ Moderator

    Messages:
    514
    if the router is set in nat mode that should cover most of the inbound protection, if any ports are forwarded, try to limit them to specific IP's within the router.
    outpost 4.x runs on win2k3 (and have a 64bit version) although i wouldnt recomend it, he would do better to tighten up & configure the server properly, rather than trying to cover up open holes

    i run a 2k3 std server but am confident in my config & routers inbound protection.
    just make sure he disables any un-needed services/roles and keeps it up to date.

    also its worth installing and configuring the Security Configuration Wizard
    http://www.windowsecurity.com/articles/Security-Configuration-Wizard-Windows-Server-2003-SP1.html

    is he actually using the pc as a workstation aswel? (browsing on it etc)?
     
    Last edited: Mar 17, 2008
    Dark Atheist likes this.
  10. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    from what i understand he wants to do is, is what i have done with my BSD box (thanks to lord geffy and X) using PF, but he wants to do this on windows, server will sit there and be used as ftp, web, and storage, all other connections to the router will mainly be internal (some inet use) but they want to lock it down so that only the server can be reached, and only for web/ftp - port 80 and 21 (poss pasv for ftp).

    For the ftp he would like to use per ip restriction. - i am looking at ftp serve progs for him - may settle on gene6
     
  11. _kC_

    _kC_ Moderator

    Messages:
    514
    then he doesnt need a software firewall to lock that down. just configure the server properly
    raidenftpd is about the best ftpd i have used. highly configurable, very secure
     
  12. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    I prefer to block out potential threats at the firewall level rather than at the service level. Relying on the service to block out IP's makes it to easy to leave a hole accessible because of misconfiguration or because of a hole in the service itself. If it is blocked before it even reaches that level, there is no further worries.
     
  13. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    can the built in firewall do what im after ?
     
  14. _kC_

    _kC_ Moderator

    Messages:
    514
    the router & the xp firewall can do a great job of inbound protection. couple that with a well configured/up to date OS and there is no need for a separate (software) firewall.
    the only reason you would really need a 3rd party firewall is for outgoing application control.

    3rd party firewalls can cause conflicts with drivers & slow down your network, steer clear on a 2k3 machine.

    windows firewall can limit apps/ports to ip's/range's or even just limit to local subnet only , but the best place for that is within the router.
    dont just forward ports, forward ports and lock down the ip's within the router.

    windows firewall gets a LOT of flak, usually because people let their pc's get infected with spyware/virus's and the firewall getse asily bypass'd/disabled.
    however on an up to date/configured server, spyware/virus's wont be an issue (unless a user logs in and browses on the server) so it would be pretty hard to get disabled.
     
  15. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
  16. mfmjos

    mfmjos OSNN One Post Wonder

    Messages:
    3
    I've been running Untangle for a bit now. It wouldn't run as a Windows app. Ideally you'd run it on a separate PC. You can run it as a virtual machine with VMware server (completely free solution). The VM method will require system resources. Untangle offers a good deal of security. Firewall functions, anti-virus, anti-spam, anti-phishing, etc. It's a pretty nice little package. Check it out.
     
  17. movvadinesh

    movvadinesh Alone in California Political User

    Messages:
    17
    Location:
    California
    post Deleted by user
     
    Last edited: Mar 17, 2012
  18. pimpindexter

    pimpindexter Matrix Operator Political User Folding Team

    Messages:
    48
    Location:
    Sunny South Florida
  19. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    IBM will no longer support the product after September of this year.

    so I would avoid it