|
Posted by Dave on December 7, 2005, 4:37 pm
Please log in for more thread options
thanks, those are some of the things i needed to know.
> It can be "adequate" IF you have carefully configured it.
> But, keep in mind that this is a single defense design, in sense that
> it is all on one box. If there is a code issue with the implementation
> of the defense there is no second hurdle cushioning you until there
> is a patch available.
>
> I would advise you to use the optional Security Configuration Wizard
> that you have available with W2k3 SP 1 as this will help you in the
> minimizing of surface, not just exposure of surface (i.e. services
> minimization, etc.). After that has provided you with the base, then
> you could refine the firewall and/or IPsec rules. With use of either
> you could restrict file and print to defined range of IPs, deny to all
> others, and yet leave tcp 80/443 available to different set of IPs,
> and also deny all not specifically allowed (ex. domain needs if in
> a domain, timesync, DNS, smtp, etc.)
>
> Beyond that, be aware that you can (perhaps in your case should)
> use both the Windows firewall and IPsec in a filtering mode. It is
> not just that each can do some things more directly than the other,
> but that where there is double coverage between them you guard
> yourself from yourself (misconfig).
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
>
>> the $600+ for the server license is more than i really want to pay, but
>> need it to get around the crippled tcp stack in w2k ws... and need to
>> upgrade the hw anyway so am biting the bullet for the os also... at least
>> for now i can live with 'good enough'. as long as it stops the port
>> scans and all that crud, but it still lets me access it from the lan
>> machines i can live with lousy logging. i do rather like the outbound
>> control that zonealarm on the old w2k machine has though.
>>
>>> It's sufficient, depending on your security needs. But if you have $600
>>> US, you might consider something like www.netscreen.com It has much
>>> more robust features, including more improved logging, signature-based
>>> intrusion prevention and intrusion detection, filtering of outbound
>>> connections, bandwidth shaping, reporting, VPN, etc.
>>>
>>> The logging features of the Windows firewall are truly terrible.
>>> Entries go to a text file which you open with notepad. No reporting
>>> whatsoever, unless you write and parse your own. It is meant to be good
>>> enough for most uses. I recommend people use the Windows firewall
>>> because it is good enough, but don't expect it to be a fully featured
>>> firewall, or else you will be very very very sorely disappointed.
>>>
>>> Programming a firewall with no outbound filtering is just ridiculous.
>>>
>>>
>>>> is the 2003sp1 firewall adequate for protecting a machine that is a web
>>>> server to the outside world, and also does file and print sharing for a
>>>> simple workgroup internally? is there adequate configurability to
>>>> allow machines on the lan (192.168.0.*) full access while blocking
>>>> anything not for the web server from the natting router from outside?
>>>> (the router is dumb and has no firewall, just everything coming in gets
>>>> directed to one internal ip) how are the logging features?
>>>>
>>>
>>>
>>
>>
>
>
| 
XML Sitemap