|
Posted by Roger Abell [MVP] on December 7, 2005, 12:18 am
Please log in for more thread options It can be "adequate" IF you have carefully configured it.
But, keep in mind that this is a single defense design, in sense that
it is all on one box. If there is a code issue with the implementation
of the defense there is no second hurdle cushioning you until there
is a patch available.
I would advise you to use the optional Security Configuration Wizard
that you have available with W2k3 SP 1 as this will help you in the
minimizing of surface, not just exposure of surface (i.e. services
minimization, etc.). After that has provided you with the base, then
you could refine the firewall and/or IPsec rules. With use of either
you could restrict file and print to defined range of IPs, deny to all
others, and yet leave tcp 80/443 available to different set of IPs,
and also deny all not specifically allowed (ex. domain needs if in
a domain, timesync, DNS, smtp, etc.)
Beyond that, be aware that you can (perhaps in your case should)
use both the Windows firewall and IPsec in a filtering mode. It is
not just that each can do some things more directly than the other,
but that where there is double coverage between them you guard
yourself from yourself (misconfig).
--
Roger Abell
Microsoft MVP (Windows Server : Security)
> the $600+ for the server license is more than i really want to pay, but
> need it to get around the crippled tcp stack in w2k ws... and need to
> upgrade the hw anyway so am biting the bullet for the os also... at least
> for now i can live with 'good enough'. as long as it stops the port scans
> and all that crud, but it still lets me access it from the lan machines i
> can live with lousy logging. i do rather like the outbound control that
> zonealarm on the old w2k machine has though.
>
>> It's sufficient, depending on your security needs. But if you have $600
>> US, you might consider something like www.netscreen.com It has much more
>> robust features, including more improved logging, signature-based
>> intrusion prevention and intrusion detection, filtering of outbound
>> connections, bandwidth shaping, reporting, VPN, etc.
>>
>> The logging features of the Windows firewall are truly terrible. Entries
>> go to a text file which you open with notepad. No reporting whatsoever,
>> unless you write and parse your own. It is meant to be good enough for
>> most uses. I recommend people use the Windows firewall because it is good
>> enough, but don't expect it to be a fully featured firewall, or else you
>> will be very very very sorely disappointed.
>>
>> Programming a firewall with no outbound filtering is just ridiculous.
>>
>>
>>> is the 2003sp1 firewall adequate for protecting a machine that is a web
>>> server to the outside world, and also does file and print sharing for a
>>> simple workgroup internally? is there adequate configurability to allow
>>> machines on the lan (192.168.0.*) full access while blocking anything
>>> not for the web server from the natting router from outside? (the
>>> router is dumb and has no firewall, just everything coming in gets
>>> directed to one internal ip) how are the logging features?
>>>
>>
>>
>
>
| 
XML Sitemap