Is a firewall required...

I have a Linksys WRT54GS Wi-Fi router and the firewall is enabled. My PC which act as a IIS server is cabled to the router.

Before the router, I ran ZoneAlarm pro (and I still do). Is ZA+ required in this kind of set-up ? Will the linksys firewall do the job ?

Reply to
Junkyard Engineer
Loading thread data ...

yes, I'm doing port forwarding

I'm trying to lower my programs overhead and ZA+ is probably slowding down the system somewhat although I'm not entirely sure of that.

Would MS Firewall would have a faster response thant ZA+ ?

"Duane Arnold" a écrit dans le message de news: bZude.39961$c24.35977@attbi_s72...

Reply to
Junkyard Engineer

On Mon, 2 May 2005 17:09:05 -0400, Junkyard Engineer spoketh

No packet filter will protect your web server if you choose to make it public (which you have by forwarding the port).

A packet filter simply drops packets based on source and destination address and port information, it doesn't look at the content of the packet itself.

The only firewall that will help with this, would be an application proxy which validates HTTP requests and drops connections that doesn't smell like a proper HTTP request.

And, of course, you should make sure your IIS server is secured and patched to reduce the chances of your IIS box getting hacked.

Lars M. Hansen

formatting link
'badnews' with 'news' in e-mail address)

Reply to
Lars M. Hansen

If you're not doing any port forwarding of port 80 to IIS, then you'll be OK.

If you're forwarding port 80 to IIS like I did on my Linksys router, then port 80 was not protected at that point and is open to the public. The Linksys router doesn't ensure that only HTTP traffic is coming to the machine and to IIS on port 80 and if you had to block an IP by setting a rule with the router, I don't think it can do that either.

So, maybe you should be running some kind of packet filtering software on the machine. Now whether you're using ZA or IPsec is another story.

formatting link
If you're exposing the machine with IIS to the public internet, is the O/S, file system, registry and IIS secured properly?

Duane :)

Reply to
Duane Arnold

I have a bunch of public facing IIS servers and have never been compromised, but I don't provide public services through a cheap NAT device either. If you are going to do HTTP for public consumption you need a real firewall - neither a Linksys or a MS SP2 service are firewalls.

Assuming you are running XP SP2, you really need to setup a LOT of security that almost renders the machine a non-workstation - you need to start reading about securing IIS and the OS in order to keep your machine from being compromised and turned into a Zombie or other.

Reply to
Leythos

Well as the other porters have indicated, you should get an appliance that has a real FW that's going to do a better job of protecting IIS.

The NAT router cannot meet the specs in the link for *What does a Firewall do?* whether that be a FW appliance or a gateway computer running a *true* FW software.

formatting link
You can apply to your situation with the info. in the link about FW(s) to help you in the proper decision making process. I too at one time had the ordasity to think I could put a machine with IIS running using a PFW that's not a FW on the machine with port forwarding on the Linksys no (FW) router and the O/S or IIS not properly secured.

formatting link

The machine and IIS were probably hacked at the time and didn't even know it. ;-)

Duane :)

Reply to
Duane Arnold

wow, a really good reference ! Thanks

Based on what I read, I think I will reinstall my "Secure IIS personal" from eEye, just in case. It was slowing down things though...

My IIS is secured via MBSA but I neglected to put FW ont other workstations on my LAN and now, I think I know why I should.

Thanks again

"Duane Arnold" a écrit dans le message de news: GfAde.42267$r53.32150@attbi_s21...

Reply to
Junkyard Engineer

So it seems !

But I love to learn new things. And I know I learn by doing mistakes 8-) i.e I've been tagged on my FTP site last year. Now I know what to do... until the next problem !

thanks for the pointers

Reply to
Junkyard Engineer

I looked at it and it's snake oil and is no different than a PFW solution trying to protect IIS.

MSBA only tells one what patches are missing and it in no way ensures that the registry, O/S, file system, accounts, and IIS are secured. That's something you have to implement yourself in the configuration manually and kind of a blow by blow as to what is needed to secure a Windows workstation or server version of those O/S(s) running IIS that is being exposed to the public Internet.

Things such the MS IIS lockdown tool, what exe(s) must be removed off the O/S, what services must be shutdown/disabled and other such things that must be done to secure the O/S and IIS and all that information is out on Google or Dogpile.com if you look for the information and apply it.

No offense to you but it doesn't seem that you're doing the right things and you have not done your homework in securing the Windows O/S and IIS that's being exposed to the public Internet.

Duane :)

Reply to
Duane Arnold

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.