|
Posted by Roger Abell [MVP] on November 26, 2007, 10:26 am
Please log in for more thread options
> says...
>> Sorry Leythos, but I have to take exception with that . . .
>> While I do believe that the more layers of protection the better,
>> Windows Server, even at 2000 version, can be place directly
>> on the world network and not just survive but remain in the as
>> deployed state. It only takes some informed configuration work.
>> How do I know this? First hand experience from lack of any
>> alternative. Would I recommend not using a separate firewall?
>> No, at least not if that firewall is going to be effectively config'd.
>> But would I say it is absolutely necessary, by no means; it does
>> however make things easier for people that cannot take the time
>> to comb a Windows server config clean for an outward facing
>> deployment.
>
> And we all know there are exceptions to everything, but in this case the
> exception is that a Win server will remain uncompromised.
>
> Normally, if you are going to properly configure and lock down a Windows
> server for direct connect to the internet, it's not going to be doing
> much or providing much. There are few reasons to have a server directly
> connected to the internet - ISA/Firewall solution would be the only I
> can think of off the top of my head.
>
> While I've read about the IIS boxes connected in tests/contests, I would
> never connect a Win web server directly to the public internet without a
> firewall.
>
> Again, yes, it can be done, yes, you can lock it down enough to keep it
> from being exploited, but, how many people hitting Usenet do you think
> will actually be able to do that and get it serving what they wanted,
> without exposing an exploit path.....
>
They pretty much only need to use the Security Configuration Wizard,
correctly state the roles and apply the result and then set up IPsec to
block all except for the needed ports and use a patching schedule.
Your statistics may be a little off as I think you will find such to be
more common than just being the infrequent exception.
Many of the firewalls I have experienced are perhaps more dangerous
than none as they are not well configured but trusted as if they were.
In my book the name of the game is endpoint hardening and then also
leveraging what one has available, such as hardware for network
screening. IOW I configure the system the same and trust that at some
point the firewall will not be doing what I think.
Roger
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)
| 
XML Sitemap