What is the Best Firewall for Servers?

Sushant Bhatia asks: "I maintain a bunch of servers (Win 2003/XP Pro) at our labs in the university. Of late, the number of attacks on the computers has been more noticeable. The university provides firewall software (Kerio) but that doesn't work with Win 2003 (works with XP). And so we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts :-). So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"

at the risk of getting flamed into submission...

[gik]

a linux box.

Use a *separate* firewall box.

[Richard Steiner]

That way, platform compatibility is a nonissue.

I use a dedicated PPro box running Coyote Linux myself, but there are far more robust solutions out there...

Hardware or Software?

[glrotate]

I'd say keep the firewall software off of your Server. Get a decent hardware one from Checkpoint.

What's wrong with windows firewall

[gooogle]

Seriously, why put down $300 when the windows firewall will do?

Or get a $50 router and block all uncessary ports to give yourself and additional layer of security.

iptables

[Heidistein]

$subj, the only true firewall :)

Does it cost less than US$100?

[dancedance]

Does it cost less than US$100? You can't be serious. Securing your machines is only worth $100? Is that how much it will cost to fix them once they are cracked? Give me a break. If you are serious about security you can invest more than $100.

Re:I'm sorry.

[CoolCash]

A good security system is to have a multi-layered security system.

Re:at the risk of getting flamed into submission..

[jhylkema]

You've still got to buy the box.

A $25 surplus P-II should suffice. I've been running an OpenBSD/PF firewall at home for ages now and the system load has never gone above 0%.

Re:What's wrong with windows firewall

[Alan]

Because in this case, the end result is something easier to deal with that solves the problem. If you want to maintain a "bunch" (however many that is) of installs of a windows firewall, on multiple OSs, then yea, absolutely.

The thinking here is a separate machine will help maintainability (assuming of course that you know linux), ease of upgrades (one system vs a "bunch"). Of course, in this case a little router box would work just fine as well. The only thing with the router boxes is the ones sold to joe average have a very unconfigurable firewall (in my own experience with linksys and d-link systems) where as the original poster might want some extra control (ie: outbound filtering) of his windows systems.

Securing Windows

[pestilence669]

During my career in network security, there has never been a software based firewall I couldn't compromise. I had the unfortunate task of reverse engineering the competition (firewalls).

There are so many problems in the basic network stack (in Windows) that a hardware firewall is your only realistic alternative. With hardware, you only have to worry about your open ports.

Anything basic will do. Investing in a Cisco PIX is usually a waste of money. I've tunneled a remote shell through port 80 using IIS, making an $80k PIX worthless. Exploits are generally simple, so fragment reconstruction is unnecessary.

With Windows, the mantra "good enough" rules. All of the packet filtering in the world won't save your server. The best thing you can do is attach a $50 LinkSys firewall and be done with it. Keep a copy of Ghost handy for when it gets compromised.

Re:Does it cost less than US$100?

[MrResistor]

Did you miss the part about how he works for a school? He has to get the money before it can be invested, and $100 might be the limit above which he has to get the approval of 3 PHBs and 6 beancounters.

Or maybe you missed the part about how the attacks are coming from other departments, over which he has no authority, and who obviously don't place a high value on security?

Re:A cheap linux firewall

[hawkbug]

I hear this argument a lot, and you're right - it would work... but here's the thing - If you put a pentium I computer with a 2 gig hd or something up in front of an entire lab for internet access, I would wonder about the reliability. What I mean is, at work here I was doing something similar - but when the non-rendundant power supply in the 1995 based computer died, my entire part of the office lost net access, which is bad.

There is always something to be said about having a real server act as a firewall. For home use, sure, use an old computer running linux - but for anything that you would like to count on a reliable, get a real piece of hardware to put that linux distro on, and you'll be happier.

Re:Does it cost less than US$100?

[DNS-and-BIND]

There are these mystical things called "budgets". The "budget" will provide for some things and not others.

This *is* at a university. Universities are well-known for being completely isolated from the rest of society, and as a result, they have some pretty weird ideas. One of which is not spending any money on computer security.

Re:Does it cost less than US$100?

[riptide_dot]

"You can't be serious. Securing your machines is only worth $100?

Keep in mind that the OP works for a university, which probably doesn't have a budget outside of what they already spent on their software firewall. It doesn't mean that security isn't important to him, just that there's probably not an existing budget for it.

The OP is looking for a cheap and innovative way to secure his university network's servers - and I can't think of a better place to ask the question than here.

I say let the FOSS community answer his question and provide him a solution to his unique problem in the way that they know best and leave the "isn't this worth more than $XXX?" questions to the salesman.

Re:Wrong Approach

[uncle_fausty]

Coming from an educational IT background, I can tell you it's not that simple. You can't just say "we need to secure the University's network!" when it's being run by a few hundred different people across a bundle of different departments and faculties, all with their own policies and requirements. I'd say the original post was the right question, and that the right answer, as many have already noted, is an upstream 'nix box running your choice of firewall - OpenBSD and PF is my favourite flavour, but that's just a personal preference.

Re:A cheap linux firewall

[Threni]

Is there any point in doing that, when you could simply replace the broken pc with another, identical copy. I don't even mean using Ghost or whatever. Just a simple script with how to install the firewall on the next PC. Pointless having some state of the art monster server when an old PC with an extra network card would do the trick.

Re:Windows Server 2003 SERVICE PACK 1 has a firewa

[major.morgan]

This is precisely the correct answer. Not iptables/smoothwall/shorewall/other_*nix_box_inbet ween answer. Read the question folks, supply the simplest effective answer, preferrably using the tools that come with the operating system.

Re:at the risk of getting flamed into submission..

[NemosomeN]

Read the submission. He's looking for a solution that is below $100. I'm willing to bet his time does have zero value. I'm thinking student worker who is going to be getting hours even if he has nothing to do, so yeah, his time is basically of no value.

FreeBSD...

[josepha48]

No seriously I use a FreeBSD box to secure my Linux, Windows, Mac, etc machines.

Why? Because everyone is out trying to hack Linux and Windows machines, they seem to leave the FreeBSD machines alone, maybe because they don't know what to do with them. Or at least there seems to be less people hacking FreeBSD. Most likely its just less press about it. NetBSD or OpenBSD would also probably work as well.

I run my firewall off a custom hacked FreeBSD CDROM. While this makes updates more difficult, it makes replaceing files near impossible. Hackers can't replace /bin/ls unless they mount /bin as a memory filesystem, in which cause they now have to replace df, mount and several other programs. You really only need /var and /tmp as memory filesystems, and maybe some parts of /etc or the whole /etc.

It has no hard drive so if the power cycles, it just reboots and its all fine and dandy. I have a seperate machine that I can do builds on and updates. I have trimmed it down to a 64 Megs CD and that includes perl, sshd, apache, dhcpd, and bind9.

You could do this with Linux as well. I haven't heard of anyone creating a Windows bootable CDROM firewall. Mac needs special hardware, and I'm not that familar with Mac, but you could probably create a Mac firewall on cd as well.

If you think its been hacked, reboot and the hackers have to try again :-)

There are also commercial hardware firewalls. Some are cheap, like the Netgear, dlink, and Linksys, but some of the better ones are in the $500 plus range.

Cheap Old PC

[eno2001]

My firewall is a Pentium (non-MMX) 200 with 32 Megs of RAM and 1.2 Gigs of HD and two $5 NICs (remember, unless you're dealing with a really high bandwidth pipe, a 100 Mb/s NIC should be plenty). You could probably grab one of those from a local surplus dealer or eBay for less than $50. Then set up Linux (whatever distro you feel you could deal with except Linspire). I use Redhat myself. :) Do a minimal install but remember to keep devel tools on so you can compile all of your own custom stuff. Spend a few days removing all unneeded commands/services, recompiling the kernel for serial console (so you can ditch ssh and/or telnet), iptables support, etc... Set up your inside and outside interfaces. Put on Snort, Portsentry, what have you for security and auditing. Plug it inline and away you go. I've been running with the same exact config since 2001. The only thing I've had to do is rebuild the kernel a few times due to exploits. Also upgrading portsentry from time to time, or snort. So far no one has hacked my network and I'm aware of every packet that enters or exits it. There is nothing outside except for the one NIC on that box. Cheap, simple, efficient.

Me? Hardware router and BlackIce

[mrbooze]

There's obviously a lot of evangelism going on here, I can't even get involved in discussions of using old PCs as firewalls to protect valuable network resources, other than to say I've worked for many corporations over the years and I haven't yet worked for one that ran a production network using old PCs as routers and firewalls.

Anyway, if one is asking what *I* use, at home it's the perfectly usable firewall capabilities built-in to my network router, plus I still run BlackIce on my systems. (Yes, I know, BlackIce is far from perfect, and it annoys me sometimes, but it does what a lot of other commercial software firewalls don't do, it *tells me* when it sees questionable activity.)

For work, if I really didn't trust my LAN, I'd probably do something similar, hardware router acting as a firewall protecting my systems collectively, with additional software firewalls on my critical servers for a little overkill. The one Microsoft offers now would probably be sufficient, and at least won't dent the $100 budget mentioned.

A good quality anti-virus software should always be running on any windows server too, of course. One configured to get updated a/v definitions at least once a day.

Re:Not bullshit at all

[YU Nicks NE Way]

The professors can do what they want if they choose to control their IT infrastructure, but if their equipment causes problems on the backbone, it is automatically shutdown. Most people do not have a problem with the policy at all.

But what you're describing is exactly what the GP was rejecting. Back when I was an academic, I assure you that I would have up and left any school which dared to tell me what I could or could not run, or what I could or could not expose. However, I would have been perfectly willing to live under the "If you cause trouble, we'll turn your taps off."

They're different. One is saying "I run the infrastructure, and I don't care if I get in the way of you doing your job." (To which the answer is "Hell, director of computer services? Please reprimand or fire ." Hey, presto, instant ExBOFH.) The other is saying "Do your job as you like, but don't get in the way of other people doing their jobs." Big difference in attitude.

Re:WTF is all this Old PC+Linux worship?

[sjvn]

Not really, and the cost of taking a PC you already have and turning it into a Linux-based firewall is zero.

Steven

Re:FreeBSD...

[sl3xd]

I'm not going to argue with your points; they are fairly good ones. I'll not bother talking about the merits of a BSD based firewall vs. a Linux one, because such conversations generally degenerate into territorial pissings.

If a user knows how to run and setup a Linux firewall, it's a better idea to stick with a Linux firewall; the 'superiority' of BSD over the Linux solution is arguable at best; however one thing that should be beyond argument is that if you know how to set up and use a Linux firewall, you're better off making use of that experience/knowledge than you would be making a frenzied (and quite possibly poor) firewall by using the BSD tools improperly.

After that, if you are so inclined, learn to implement a firewall using one of the BSD's.

And, of course, the reverse is also quite true.

But I'm suprised I haven't seen anybody mention 'shorewall' (at least on the Linux side)

OS is irrelevant

[Antique Geekmeister]

Look, the OS really doesn't matter. What does matter is getting your employers to not do stupid things, like run their laptops without security patches and insist on running NFS and file sharing from home and on every machine in your group, getting them to pick decent passwords, teaching people never to use .zip attachments for anything, never running passphraseless accounts and open access points, etc., etc., etc.

Until you can get basic security steps like those in place, the world's best firewall is like a really big lock on a 3 foot high fence. Even the most casual crackers will simply step over it.

Re:LAYERED SECURITY, of course!

[xsbellx]

Most of what you say makes some sense. The glaring problem is:

3.) Tcp/IP filtering @ the IP Stack levels (UDP & TCP) allowing ONLY port 80.

Could you please explain how things like DNS(pretty well required for surfing), HTTPS (port 443), FTP, SSH and several other services would work?

Re:Windows Server 2003 SERVICE PACK 1 has a firewa

[TheCabal]

Right, its called "defense in depth". So he really should use the builtin firewall on each of the Fisher Price OS servers and workstations.

I'm sorry you feel that running an OS is some kind of machismo thing. Would you like some stubble glitter for Christmas? I despise OS bigots. They're unprofessional, bullheaded and usually wrong.

On the other hand, anyone using a windows-based firewall as a perimeter defense is a complete moron. You either use some firewall-in-a-box, and for bigger networks, you use some *BSD or Linux.

Nobody said to load Windows Firewall and let it sit. Remember the constraints this guy has- he needs to to work for $100 or less. So he gets a firewall for free that is application-aware. Cool. Now he has host based firewalls and he still has his $100. Hell, he could go to Best Buy, pick up a router for $40, and take his Significant Other out to dinner.