It sounds like you have a very corrupted system. If you have been running a broadband connection without a firewall it takes less than 15 seconds for your system to be corrupted. With all the traffic coming in zonealarm was using all your computer power processing the incoming hits. If you are going to run servers you need to start educating yourself on the correct ways to secure your system. This means read, read , read......
Very bad move - there is no PERSONAL Firewall application that should be run on a Server that is going to be totally compliant with the OS. In fact, I think that ZA specifically stats that it's not for a server.
Windows 2000 Advanced Server is quite a nice setup, I have more than 12 of them here. At the very least you need to setup a barrier appliance in front of your network to block unsolicited traffic BEFORE it reaches your network.
If you didn't have a firewall in place, or even a simple NAT Router, and your server was online, I would suspect that your server is already compromised, even if you don't personally see it.
First step is to get a barrier device that works with your DSL service - most of the Linksys units (BEFSR41 as an example) will directly connect to a DSL PPOE service and maintain the connection. You can then setup port forwarding to allow just the ports you want the public to access through to the server (never allow ANY SQL ports access via public connections).
Once you get the Router/NAT you won't need a personal firewall running on your server, but, unless you really understand security you are going to get compromised in short order - the service patches and updates don't secure the server. IIS is easy to compromise on a default install system, please look for how to secure IIS, MS has many articles on it.
You might also want to block outbound ports 135~139,445,1433/1434 so that when your server gets compromised, that it can't use simple means to get to other machines.
Also, don't settle for personal AV software, get a quality SERVER type antivirus application to protect it.
If you're willing to setup another machine to act as a firewall then you should be willing to spend $50 on a router that does NAT. It's cheaper in the long run, presents less problems, and works perfectly.
Why would you have to setup RRA? You don't supply Wins/DHCP/DNS/DC functions to the public internet, only to your internal network. RRAS means nothing to the internal network.
If you set this up, you get your PUBLIC IP at the new Linksys Router on the WAN port, the LAN side of the Linnksys router is a 192.168.5.X address, where 192.168.5.1 would be the Linksys LAN side. You could then setup the server at 192.168.5.10. Now, in order to services to be exposed to the PUBLIC IP you would setup forwarding in the Linksys to forward inbound (such as fowarding port 80 to ip 192.168.5.10, port 25 to the mail server IP if you have one).....
You don't need any routing tables, don't need to know anything about RRAS, don't need to do anything except how to configure the Linksys to do PPOE and enter your user/password for your ISP so that the Linksys can maintain your connection.
If you can configure it to give you a public IP, then have the Linksys talk to the Netcomm and give the Linksys a PUBLIC IP so that you can manage everything through the Linksys. It sounds like your NAT on the Netcomb just passes everything inbound without any blocking - sort of like
1:1 NAT with direct mapping.
If you really have a NAT Router in the Netcomm and it doesn't allow inbound unsolicited, then you're already not exposed to the Internet. If people on the Net can reach your server then you are either using NAT some
1:1 mode or it's a setup that passes ALL traffic inbound.That's just the start, and not enough.
I run Symantec Antivirus 9 Corporate edition on my servers, it's small, never let me down, never had a compromised server while using it (along with many other methods).
No, I can't, it's not something I would recommend to someone I don't like let alone someone I don't know. You already have the tools, and if not, then $50 will do what you need. Since you are getting paid to support a client, the $50 is the least you can do for them/you.
If you want to VPN into the server you only need to setup RAS in single NIC mode and then forward the ports to the server through the linksys.
Hi All,
I have recently needed to install a firewall on my home puter (Win2k AS) as there was allot of unwanted traffic coming in (especially to MS-SQL server) on my aDSL connection. I read some news groups for opinions and decided to install Zone Alarm. I installed the latest free version and took up the free
15 day pro offer (even though I said I didn't want the pro version).Initially, my system was very slow. Apps would take minutes to open. Even opening cmd took minutes at first. It also wouldn't let McAfee Virus Scan Enterprise run. I would enable resident scan protection and seconds later the CPU went 100% and after a minute or so Zone Alarm would disable resident protection. I wasn't happy so I uninstalled. Well let me tell you that was a mistake! I run a dev environment at home so I can support a client. This includes Microsoft Content Management Server 2001, Site Server 3.0 (P&M), MS-SQL Server 2000. Authentication between MCMS 2001 and Site Server stopped working. Also, add-remove programs came up with script errors and IE was ruined in a similar manner with script errors on any page I visited.
To fix this I had to run a Win2k upgrade which meant I had to re-install SP4 and all (around 45) hotfixes and patches. Then I had to uninstall/install Site Server and MCMS 2001. The win2k upgrade also managed to kill a couple of other things but they where reasonably easy to remedy by re-installing a couple of drivers.
Anyone else had this type of experience? Can anyone recommend any other firewall free or not? I don't mind paying for a product but if I had payed for ZA I would have been very disappointed (assuming I'm stupid enough to buy before I try).
Thanks,
Stephan Carydakis
I do realise that it is not the best idea to run a firewall on a server. Even though I do work from home occassionally and I do support a client on this machine, I dont want (or need) to set up anything more serious than what I have at the moment. I do have and old P3 celery stick which I run win
98 on to do testing sometimes. Maybe I will use this?If I do this, I would have to setup routing from that machine to my inside network yes? My Win2k box is multi-homed and also run wins, dhcp, dns and is a DC. I also used to have MS's routing and remote access doing my routing between my 'outside' network and my internal network but it was fickle and often used to break. Not knowing enough about routing and route tables, I used to have to reboot my machine to get the routes back when they broke.
My modem does NAT . It is a netcomm nb 1300
I haven't added any forwads on the modem. I'll have to have a look. Its got a nice HTML interface for setting it up.
Used the IIS lockdown tool.
I like Virus Scan Enterprise 8, It has access protection, buffer overflow protection and unwanted programs policies and block ports.
Thanks for your advice. Given that in the short term I'm probably going to have to run a firewall on the server, can you recommend any? Thanks again,
Steph.
Hi Woody,
I dont think my system is very corrupted It's working fine now, humming along. I use a dial up PPoE and only connect to the internet when needed. There where a few unwanted packets ZA was catching but not heaps. It wasn't using much cpu just sitting there, only when I tried to run any software! I have done a bit of reading. Played with ipsec to make a firewall but its clunky and I'm not that into security. Want a nice gui!
Thanks for you time.
Steph.
uninstall/install
re-installing
I don' know nothing, but it seems to me all of you are making a mountain out of a mole hile.
Most routers have a built in hardware firewall, that protects somewhat by making ports 'invisible' (don't ask me how) to hackers.
Then you install a software firewall like Zone Alarm, though I keep reading that version 5 is corrupt (this is what attracted me to this thread). Maybe try PC Chillin' or McAfee is what I read.
Also the stuff about getting a 'corporate' version of a software firewall makes sense, as it violates the terms of your EULA to have a personal version of the same.
Remember: I don't know nothing, so caveat emptor, but then again I don't get paid to make my clients paranoid about security! :-)
RL
Leythos wrote:
server.
cheaper in
reaches your
Router, and
already
Linksys
connections).
linksys.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.