What is the Best Firewall for Servers? 673
Sushant Bhatia asks: "I maintain a bunch of servers (Win 2003/XP Pro) at our labs in the university. Of late, the number of attacks on the computers has been more noticeable. The university provides firewall software (Kerio) but that doesn't work with Win 2003 (works with XP). And so we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts :-). So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"
at the risk of getting flamed into submission... (Score:4, Insightful)
Use a *separate* firewall box. (Score:5, Insightful)
I use a dedicated PPro box running Coyote Linux myself, but there are far more robust solutions out there...
Hardware or Software? (Score:2, Insightful)
What's wrong with windows firewall (Score:2, Insightful)
Or get a $50 router and block all uncessary ports to give yourself and additional layer of security.
iptables (Score:2, Insightful)
Does it cost less than US$100? (Score:4, Insightful)
Re:I'm sorry. (Score:2, Insightful)
Re:at the risk of getting flamed into submission.. (Score:3, Insightful)
A $25 surplus P-II should suffice. I've been running an OpenBSD/PF firewall at home for ages now and the system load has never gone above 0%.
Re:What's wrong with windows firewall (Score:3, Insightful)
The thinking here is a separate machine will help maintainability (assuming of course that you know linux), ease of upgrades (one system vs a "bunch"). Of course, in this case a little router box would work just fine as well. The only thing with the router boxes is the ones sold to joe average have a very unconfigurable firewall (in my own experience with linksys and d-link systems) where as the original poster might want some extra control (ie: outbound filtering) of his windows systems.
Securing Windows (Score:2, Insightful)
There are so many problems in the basic network stack (in Windows) that a hardware firewall is your only realistic alternative. With hardware, you only have to worry about your open ports.
Anything basic will do. Investing in a Cisco PIX is usually a waste of money. I've tunneled a remote shell through port 80 using IIS, making an $80k PIX worthless. Exploits are generally simple, so fragment reconstruction is unnecessary.
With Windows, the mantra "good enough" rules. All of the packet filtering in the world won't save your server. The best thing you can do is attach a $50 LinkSys firewall and be done with it. Keep a copy of Ghost handy for when it gets compromised.
Re:Does it cost less than US$100? (Score:5, Insightful)
Or maybe you missed the part about how the attacks are coming from other departments, over which he has no authority, and who obviously don't place a high value on security?
Re:A cheap linux firewall (Score:5, Insightful)
There is always something to be said about having a real server act as a firewall. For home use, sure, use an old computer running linux - but for anything that you would like to count on a reliable, get a real piece of hardware to put that linux distro on, and you'll be happier.
Re:Does it cost less than US$100? (Score:5, Insightful)
This *is* at a university. Universities are well-known for being completely isolated from the rest of society, and as a result, they have some pretty weird ideas. One of which is not spending any money on computer security.
Re:Does it cost less than US$100? (Score:5, Insightful)
Keep in mind that the OP works for a university, which probably doesn't have a budget outside of what they already spent on their software firewall. It doesn't mean that security isn't important to him, just that there's probably not an existing budget for it.
The OP is looking for a cheap and innovative way to secure his university network's servers - and I can't think of a better place to ask the question than here.
I say let the FOSS community answer his question and provide him a solution to his unique problem in the way that they know best and leave the "isn't this worth more than $XXX?" questions to the salesman.
Re:Wrong Approach (Score:2, Insightful)
Re:A cheap linux firewall (Score:2, Insightful)
Re:Windows Server 2003 SERVICE PACK 1 has a firewa (Score:2, Insightful)
Re:at the risk of getting flamed into submission.. (Score:3, Insightful)
FreeBSD... (Score:3, Insightful)
Why? Because everyone is out trying to hack Linux and Windows machines, they seem to leave the FreeBSD machines alone, maybe because they don't know what to do with them. Or at least there seems to be less people hacking FreeBSD. Most likely its just less press about it. NetBSD or OpenBSD would also probably work as well.
I run my firewall off a custom hacked FreeBSD CDROM. While this makes updates more difficult, it makes replaceing files near impossible. Hackers can't replace /bin/ls unless they mount /bin as a memory filesystem, in which cause they now have to replace df, mount and several other programs. You really only need /var and /tmp as memory filesystems, and maybe some parts of /etc or the whole /etc.
It has no hard drive so if the power cycles, it just reboots and its all fine and dandy. I have a seperate machine that I can do builds on and updates. I have trimmed it down to a 64 Megs CD and that includes perl, sshd, apache, dhcpd, and bind9.
You could do this with Linux as well. I haven't heard of anyone creating a Windows bootable CDROM firewall. Mac needs special hardware, and I'm not that familar with Mac, but you could probably create a Mac firewall on cd as well.
If you think its been hacked, reboot and the hackers have to try again :-)
There are also commercial hardware firewalls. Some are cheap, like the Netgear, dlink, and Linksys, but some of the better ones are in the $500 plus range.
Cheap Old PC (Score:3, Insightful)
Me? Hardware router and BlackIce (Score:2, Insightful)
Anyway, if one is asking what *I* use, at home it's the perfectly usable firewall capabilities built-in to my network router, plus I still run BlackIce on my systems. (Yes, I know, BlackIce is far from perfect, and it annoys me sometimes, but it does what a lot of other commercial software firewalls don't do, it *tells me* when it sees questionable activity.)
For work, if I really didn't trust my LAN, I'd probably do something similar, hardware router acting as a firewall protecting my systems collectively, with additional software firewalls on my critical servers for a little overkill. The one Microsoft offers now would probably be sufficient, and at least won't dent the $100 budget mentioned.
A good quality anti-virus software should always be running on any windows server too, of course. One configured to get updated a/v definitions at least once a day.
Re:Not bullshit at all (Score:3, Insightful)
They're different. One is saying "I run the infrastructure, and I don't care if I get in the way of you doing your job." (To which the answer is "Hell, director of computer services? Please reprimand or fire
Re:WTF is all this Old PC+Linux worship? (Score:3, Insightful)
Steven
Re:FreeBSD... (Score:3, Insightful)
If a user knows how to run and setup a Linux firewall, it's a better idea to stick with a Linux firewall; the 'superiority' of BSD over the Linux solution is arguable at best; however one thing that should be beyond argument is that if you know how to set up and use a Linux firewall, you're better off making use of that experience/knowledge than you would be making a frenzied (and quite possibly poor) firewall by using the BSD tools improperly.
After that, if you are so inclined, learn to implement a firewall using one of the BSD's.
And, of course, the reverse is also quite true.
But I'm suprised I haven't seen anybody mention 'shorewall' (at least on the Linux side)
OS is irrelevant (Score:3, Insightful)
Until you can get basic security steps like those in place, the world's best firewall is like a really big lock on a 3 foot high fence. Even the most casual crackers will simply step over it.
Re:LAYERED SECURITY, of course! (Score:3, Insightful)
3.) Tcp/IP filtering @ the IP Stack levels (UDP & TCP) allowing ONLY port 80.
Could you please explain how things like DNS(pretty well required for surfing), HTTPS (port 443), FTP, SSH and several other services would work?
Re:Windows Server 2003 SERVICE PACK 1 has a firewa (Score:3, Insightful)
I'm sorry you feel that running an OS is some kind of machismo thing. Would you like some stubble glitter for Christmas? I despise OS bigots. They're unprofessional, bullheaded and usually wrong.
On the other hand, anyone using a windows-based firewall as a perimeter defense is a complete moron. You either use some firewall-in-a-box, and for bigger networks, you use some *BSD or Linux.
Nobody said to load Windows Firewall and let it sit. Remember the constraints this guy has- he needs to to work for $100 or less. So he gets a firewall for free that is application-aware. Cool. Now he has host based firewalls and he still has his $100. Hell, he could go to Best Buy, pick up a router for $40, and take his Significant Other out to dinner.