Mark Burnett, 2005-03-15
For something as simple as a firewall for Windows servers, a good solution just doesn't exist.
Colapse all |
Post comment
Windows Firewalls Lacking
2005-03-15
badri (4 replies)
badri (4 replies)
Windows Firewalls Lacking
2005-03-17
Anonymous
Anonymous
personaly i have expirience with Netscreens (from 5GT up to 5400) and Checkpoints SoFa-Boxes. I like the Netscreens more but the SoFa-Boxes are also ok, and IIRC they are also cheaper.
The Netscreen 5GT are "good enough" for a single Server, simple to configure and can also be used as an VPN termin...
[ more ] [ reply ]
The Netscreen 5GT are "good enough" for a single Server, simple to configure and can also be used as an VPN termin...
[ more ] [ reply ]
Outbound filtering is weak anwyay...
2005-03-15
Nicholas Weaver (1 replies)
Nicholas Weaver (1 replies)
Outbound filtering on the host is weak anyway: If you can escalate to root/System, the protection is lost, which is usually far too easy once a system is compromised.
Thus not having outbound filtering in the Windows firewall is not a significantl limitation in practice.
...
[ more ] [ reply ]
Thus not having outbound filtering in the Windows firewall is not a significantl limitation in practice.
...
[ more ] [ reply ]
Outbound filtering is weak anwyay...
2005-03-16
Anonymous (1 replies)
Anonymous (1 replies)
Outbound filtering is very necessary when you've got slammer, blaster, bots, etc banging away from inside your network not only trying to get out the gateway but also scanning your private address blocks...
[ more ] [ reply ]
[ more ] [ reply ]
Outbound filtering is weak anwyay...
2005-03-17
Nicholas Weaver (1 replies)
Nicholas Weaver (1 replies)
But if the bot author had clue or care, its' "Escalate to system" (which is usually already done), and kill the firewall.
...
[ more ] [ reply ]
...
[ more ] [ reply ]
Outbound filtering is weak anwyay...
2005-03-17
Anonymous
Anonymous
Bots and worms spread automatically. Are you telling me an author is going to log on to each box to disable the firewall so it can spread? I don't think so. Even automated they would have to determine which product they are running and many Personal Firewall are automatically restarted(i.e. Sygate) ...
[ more ] [ reply ]
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-15
Anonymous (1 replies)
Anonymous (1 replies)
I think the difficulty in the challenge is directly related to the sanity of the challenge. Why would you want to, under any circumstances, connect a Windows box directly to the Internet (that context is assumed by the article)? A small hardware firewall sounds like a great solution, and will have...
[ more ] [ reply ]
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-16
Anonymous (another reader)
Anonymous (another reader)
As a point of clarification, note that by "small firewalls" you best be talking about some of the smaller devices from a company like NetScreen or Cisco, and not NetGear or LinkSys. (Yes, I know LinkSys is a part of Cisco.) The NetGear/LinkSys boxes are based on substantially slower processors and w...
[ more ] [ reply ]
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-15
Anonymous (1 replies)
Anonymous (1 replies)
did you try Tiny Personal Firewall Pro? I use it on high volume windows servers... never had a blue screen....
[ more ] [ reply ]
[ more ] [ reply ]
Checkpoint FW-1
2005-03-16
Anonymous (2 replies)
Anonymous (2 replies)
Host-level firewalls are snakeoil. Configure your server to only listen on ports you want it to serve on. Use DMZ level firewalls to control ingress/egress of those small number of protocols you actually need to/from (a) the net (b) your management LAN. WHen it comes to 'real' firewalls that run on ...
[ more ] [ reply ]
[ more ] [ reply ]
Checkpoint FW-1
2005-03-16
Anonymous (2 replies)
Anonymous (2 replies)
"If you use an expensive proprietary OS, get used to paying for expensive proprietary software."
Isn't that what CheckPoint is? CheckPoint's yearly maintenance fees will eat a whole right through your pocket.
You are not getting the point, Mark is looking for a small footprint host-based fire...
[ more ] [ reply ]
Isn't that what CheckPoint is? CheckPoint's yearly maintenance fees will eat a whole right through your pocket.
You are not getting the point, Mark is looking for a small footprint host-based fire...
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-16
H Carvey <keydet89@yahoo.com> (2 replies)
H Carvey <keydet89@yahoo.com> (2 replies)
The article seems to be based heavily on personal preference and opinion, and not at all on any sort of metrics. At no point during the article did Mark state his requirements for a firewall system...instead, he simply pointed out the flaws he found in others (which, by the way, I agree with...to s...
[ more ] [ reply ]
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-17
M. Burnett
M. Burnett
>The article seems to be based heavily on personal preference and opinion, and not at all on any sort of metrics...
That's the thing about an opinion column, I get to state all the opinions and personal preferences I want. I'll save the metrics for the technical articles. Having said that, you of...
[ more ] [ reply ]
That's the thing about an opinion column, I get to state all the opinions and personal preferences I want. I'll save the metrics for the technical articles. Having said that, you of...
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-17
Anonymous
Anonymous
There are alot of reasons that you would want a host based firewall. Most of them help to mitigate the "hard shell, creamy center" weakness that networks only secured at the perimeter have. It isn't about being paranoid, it is about realizing that your internal, safe networks pose as big of a threat...
[ more ] [ reply ]
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-16
Anonymous (1 replies)
Anonymous (1 replies)
What about the firewall in Windows 2003 and the newer version introduced with SP1?...
[ more ] [ reply ]
[ more ] [ reply ]
There are great one out there
2005-03-16
Anonymous
Anonymous
Good day,
Thanks for the great article and the challenge presented to the reader. I do believe there was one option which was covered by Security Focus in the past that was forgotten. It is CHX-1 solution. You can find information at:
http://www.securityfocus.com/tools/2086
or directly ...
[ more ] [ reply ]
Thanks for the great article and the challenge presented to the reader. I do believe there was one option which was covered by Security Focus in the past that was forgotten. It is CHX-1 solution. You can find information at:
http://www.securityfocus.com/tools/2086
or directly ...
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-16
Anonymous (1 replies)
Anonymous (1 replies)
The best one I've found is also free to use, WIPFW, http://sourceforge.net/projects/wipfw/
It uses the same firewall commands from BSD and also has a beta GUI front end. It works great for people who want to refresh their firewall rules every so often....
[ more ] [ reply ]
It uses the same firewall commands from BSD and also has a beta GUI front end. It works great for people who want to refresh their firewall rules every so often....
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-17
Mark Burnett
Mark Burnett
I believe that WIPFW uses the IP Filter-Hook driver method. This is basically a Kernel Mode driver that registers a callback function with the IP Filter Driver. Most products don't use this method because only one app can register to be the callback function. If another app registers, this no longer...
[ more ] [ reply ]
[ more ] [ reply ]
BlackICE, er ISS RSDP works
2005-03-16
Anonymous
Anonymous
Now I don't know at what traffic levels I should expect it to roll over and die but warts and all it does a fine job. And unlike Zonealarm it doesn't pop up anything. Runs silently and in the background. It doesn't handle dynamic inbound ports too well unless it's one of those well understood ones l...
[ more ] [ reply ]
[ more ] [ reply ]
Sygate or Outpost
2005-03-17
Anonymous (2 replies)
Anonymous (2 replies)
I've run both Sygate Personal Firewall and Outpost Firewall on Windows 2000 SP4 and Windows XP Pro SP2. They're both solid as a rock, and, as with any Linux alternative, if you configure them properly in the beginning, you shouldn't have any pop-up boxes, and the ones you do get, you would want to b...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Sygate or Outpost
2005-03-22
Anonymous
Anonymous
Sygate suffers from one of the problems mentioned in the article: pop-up boxes asking whether to allow a connection.
Recently I upgraded the SSH server on a Windows box at work, and found that I couldn't log in anymore. The problem, as it turns out, was that I had to click a pop-up box which sai...
[ more ] [ reply ]
Recently I upgraded the SSH server on a Windows box at work, and found that I couldn't log in anymore. The problem, as it turns out, was that I had to click a pop-up box which sai...
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-17
Anonymous (1 replies)
Anonymous (1 replies)
Why is everybody suggesting Netscreen, Checkpoint, etc. These are hardware appliances. The article was regarding personal, software-based, windows firewalls....
[ more ] [ reply ]
[ more ] [ reply ]
What is IPSec doing in that list?
2005-03-18
Anonymous (2 replies)
Anonymous (2 replies)
Hey Mark,
Eventho your article is sortof lackign when it comes to what you require from a firewall, it was an interesting read. Always nice to read what others find lacking in a firewall product.
At any rate, why was IPsec listed in there? while it is a very usefull security measure, it is not...
[ more ] [ reply ]
Eventho your article is sortof lackign when it comes to what you require from a firewall, it was an interesting read. Always nice to read what others find lacking in a firewall product.
At any rate, why was IPsec listed in there? while it is a very usefull security measure, it is not...
[ more ] [ reply ]
What is IPSec doing in that list?
2005-03-18
Steve (1 replies)
Steve (1 replies)
Ummmm actually it is.
You use IPSec rules to control how your network interface handles all traffic, block, negotiate encryption, AH signatures, data tunneling, PKI security...etc...
Nobody ever uses it though, because no one has read the Windows Security manual.
The Windows IPSec stack is so tho...
[ more ] [ reply ]
You use IPSec rules to control how your network interface handles all traffic, block, negotiate encryption, AH signatures, data tunneling, PKI security...etc...
Nobody ever uses it though, because no one has read the Windows Security manual.
The Windows IPSec stack is so tho...
[ more ] [ reply ]
new firewall in SP1
2005-03-18
Anonymous former MS contractor-scum
Anonymous former MS contractor-scum
SP1 for Windows 2003 has the same updated firewall as XP SP2 had.
On a fersh install it will be enabled by default. On an upgrade it will be enabled on reboot until you say yes or no to a nag screen asking to install Windows updates you're missing. Nice feature actually. After that it's disabled ...
[ more ] [ reply ]
On a fersh install it will be enabled by default. On an upgrade it will be enabled on reboot until you say yes or no to a nag screen asking to install Windows updates you're missing. Nice feature actually. After that it's disabled ...
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-21
chris
chris
I use norton firewall 2002 for Windows 2003 Server. DO NOT try with Norton Firewall 2003/2004 - it causes a blue screen on startup.
Definitely true - Windows is seriously lacking in the firewall market. It'd be nice if there was an open source project for it. I was considering starting one myself...
[ more ] [ reply ]
Definitely true - Windows is seriously lacking in the firewall market. It'd be nice if there was an open source project for it. I was considering starting one myself...
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-22
Anonymous
Anonymous
I agree with his statement regarding Linux and IPTABLES. For my home network I run an old 350 megahert machine with Debian as a gateway and use IPTABLES and I avoid 95% of the popups and 100% of the attacks as I drop packets that are from outside to all ports. This gives my IP the appearance of most...
[ more ] [ reply ]
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-23
BobDaUnixMan
BobDaUnixMan
Lets face it, I like unix, its my breda an dbutter; but ya know what? Mickysoft can do exactly what he wants. What it fails in, is that you can't do the "a pop in the disc in and eat donuts" routine. You have to read the *&^$ing manual, okay?
I have taken the time and done it, it works quite well...
[ more ] [ reply ]
I have taken the time and done it, it works quite well...
[ more ] [ reply ]
Windows Firewalls Lacking
2005-03-23
Stefan
Stefan
"I have been patiently waiting for someone to come along with a capable, full-featured Windows firewall so I can stop explaining to everyone why the right way to go is probably Linux with iptables."
- Mark Burnett
"If you've got an admin that can't secure a Microsoft web server, then your c...
[ more ] [ reply ]
- Mark Burnett
"If you've got an admin that can't secure a Microsoft web server, then your c...
[ more ] [ reply ]
Windows Firewalls Lacking - Free Windows Server Firewall
2005-09-12
Claudio Szykman
Claudio Szykman
Hi
i made some simple scripts using vbs and ipsec configuration tutorials and i think it might be interesting to you.
i posted in some boards such as this
http://forums.servermatrix.com/viewtopic.php?t=16653
i know that Network firewalls based on network packets are cool to control pro...
[ more ] [ reply ]
i made some simple scripts using vbs and ipsec configuration tutorials and i think it might be interesting to you.
i posted in some boards such as this
http://forums.servermatrix.com/viewtopic.php?t=16653
i know that Network firewalls based on network packets are cool to control pro...
[ more ] [ reply ]
...
[ more ] [ reply ]