Low cost software firewall for MS Server 2003?

Since you can't buy server class firewall software for $50 that will protect a 2003 server, why don't you just preconfigure a couple cheap NAT routers, forward the ports you need, and you'll be just as safe for the desired amount of money.

A cheap NAT router is as good as a personal firewall for what you are doing.

I configure firewalls and routers and ship them to hosting companies all the time - the NAT router would be a simple setup.

"PT" wrote in news:d07g70$29qq$ snipped-for-privacy@news.cybercity.dk:

In addition to the NAT router suggestion, you can supplement the NAT router with IPsec as you may or may not already know with the AnalogX's implementation of the IPsec rules to protect the server, allowing IPsec to function like a host based FW.

With the AnalogX IPsec rules implemented and you can learn from, you can make the rules any way you want by IP, port, protocol, domain, subnet -- inbound or outbound.

Duane :)

That's a good idea, but it does not prevent the traffic from reaching the server. You really want to use some barrier device and then you can implement IPSec or even the filtering in the Advanced section of networking.

You want a barrier device - anyone asking for a $50 firewall for a server most likely doesn't have it properly secured anyway, IPSec would most likely just leave a hole open.

I agree that the server should be secured, but anyone asking the specific question about using a $50 solution doesn't know enough to secure the server by some generic Usenet instructions (IMHO).

If for whatever reason you can't use a separate filtering device, that is just the way to do it.

Ask Microsoft. If you don't trust them, you can't trust other verndor of filtering software either. Microsoft has the source, the others don't.

It filters traffic the way you configure it. So if you want that rule, just create it.

Should be no problem at all. It will for sure need less ressources than any other third party host based packet-filter.

Wolfgang

A server that is not able to handle incoming traffic, is simply crap and must therefore be replaced by something suitable.

Nonsense. Lock down the box, done. If that can't be done that without using a seperate device, throw it away.

While I agree that separate filering devices are the better place to filter traffic than the host itself, any server that *needs* a separate packtet filter is *BAD* and therefore must not be used.

Wolfgang

Look, if this was our Domain controller/ webserver / mail server or similar, i wouldnt be asking for a $50 solution. Im talking about protecting individual servers which contains no sensitive information, doesnt have any users logging on, except for the very rare administrator over RDP and with almost no dangerous windows services running, but which also needs to be able to handle large amounts of UDP/TCP traffic without being hacked every two days. To do that i just need basic packet filtering that can recognize incoming packets from an outgoing connection(hey, even a stateless one that could filter on SYN would work). I could make such a program myself if i had more time available, and ill be damned if we are going to pay 200+$ per server for such simple functionality.

Regard>>

I have nothing against Windows or microsoft, its just that on linux there are plenty of firewall/packet filtering stuff available for free :)

My reasons to distrust the ICF was more that i was worried that it was meant for casual home/desktop usage and so might not be able to handle large amounts of traffic, or it might leave some ports open without asking etc.

Im also look>> Im frankly close to giving up and just use the built-in ICF(Internet

Thanks for the response, sounds good, was just worried the ICF in 2003 might "just" be a home/desktop solution.

Im also looking at using the RRAS / Basic Firewall as i have seen it mentioned as an alternative to ICF + IPSec somewhere, but i havent been able to find much info about it.

Do you have any experience with that?

The ICF does only packet-filtering nothing else. In that respect it is more efficient and less resource-consuming than any other software firewall that comes with tones of other "features" that have limited if any benefit. The ICF is integrated into the IP stack. Any other software firewall has to dig its own hole in that to do the filtering.

Generally, the ICF won't be worse or better than the rest of the system. If you don't trust the ICF, don't trust your operating system either and choose a different one. You seem to have a very bad opinion of Microsoft, then don't use MS Server. Why do you think the rest of the system is so much better that you have to choose something else for a core part of the operating system?

The ICF is probably the only thing on your system that can handle a large volume for free. Any other solution is either cheap but only for end-user volume, or expensive and for large volume.

Gerald

ZoneAlarm seems to work on W2K3 although ZA seem rather reluctant for it to be used that way.

Apart from the physical access problem[1], couldn't you find a few old PCs for

I don't understand why your servers are any less important than any other servers or why you don't care about protecting them like any other servers. When we setup networks and services exposed to the public we don't do a partial job, we do it right or we don't do it.

And just what makes you think that it's not an option - I would be interested to know.

As for the server, you don't need firewall software if you properly secure the server. I've had Windows 2000 servers on a public IP directly for years without compromise, and not running any firewall software.

I'll bite. How do you do that?

Because these servers contain no sensitive information, and have no connection any "private" network its just isolated public servers. Its not that i dont want to properly protect them, its just that all the applications running on the machine are trusted, and almost no "dangerous" services are exposed, so we are only interested in a slightly clever incoming packet filter. Besides we have had extremely bad experiences with expensive firewall boxes, when handling large volumes of UDP traffic. Having the firewall on the server makes it very simple to monitor for overloading due to traffic.

Anyway, the "Routing and Remote Access" service in Windows 2003 can actually handle the type of filtering we need(as i discovered today), in a single package, so we are going to use that.

We cannot influence the physical layout of the servers, including placing a box and connecting a cable to it, anyway im worried that it wont handle the traffic we need, or cause other problems.

As for not needing to secure the server, im a bit sceptical, i dont trust windows not to have some weird vulnerable service running at an open port. This is a very easy way to secure a server which only has a very simple and limited communication with the public network.

Knowing what to disable, stop, what applications (com/exe) to set to only run from a select account, how to move the IIS directory structure off the OS drive, etc.... If you look hard enough of the MS site you can find almost all that you need to know, the rest is available via google searches.

By proper configuration (minimum services) and regular installation of patches.

Wolfgang

Apart from CP FW-1 (which is a bit more than a stateful packet filter) there is only one (stateful )packet filter for Linux which is the netfilter part of the kernel (kernel 2.4 and later). Rules are defined using iptables.

OK, there are also application level proxies like squid (for http and some other protocols) and circuit level proxies like dante.

Wolfgang

Actually i could do without the stateful part of the packet filter if i can also filter on the SYN bit :)

Anyway, while "lots" my be overdoing it is available in the kernel without too much hassle.

In Windows IPSec or IP filtering could handle what i wanted if i could just be allowed to filter incoming TCP packets part of a connection setup seperate from those belonging to an established connection. Im just confused why a such a simple filtering option isnt available anywhere(unless of course i missed it). It would be great to have a stateless packet filter with this option as it would allow better performance.