Best firewall to use with windows server 2003

wijcc

wijcc

wijcc

Soldato
Joined
10 Aug 2003
Posts
2,693
Location
London
Hi guys, whats the best firewall to use with windows server 2003. I need to install a software firewall on a server that I am using for email and internet hosting (one website). What will be the best softwre firewall to use on this server which is using server 2003?
Thanks in advance guys :)
 
wijcc said:
what would be a good cheap hardware router than?
Click to expand...

Is it for home or a business?

What type of connection is it on the end of (xDSL, cable, leased line)?

Budget?

Without knowing any of those (and budget is always the most important), it's the usual suspects really Juniper SSG, Cisco ASA, Checkpoint FW1, Sonicwall (well some people like them ;)). Prices range from <£300 to >£20k.
 
it is for a server, behind a router(with no firewall, combined SDSL+ADSL) already. It must be capable of dealing with more than one external IP as well.
Budget is as little as possible. The server is a standalone one only hosting email service/server and few websites.
Thanks in advance guys.
 
wijcc said:
it is for a server, behind a router(with no firewall, combined SDSL+ADSL) already. It must be capable of dealing with more than one external IP as well.
Budget is as little as possible. The server is a standalone one only hosting email service/server and few websites.
Thanks in advance guys.
Click to expand...

Juniper SSG, or a Cisco ASA5505 then. I'd probably go for the Juniper SSG5 or SSG20 (despite been a Cisco / Checkpoint man) as you will probably get more bang for your buck than with a Cisco ASA5505 Sec+. And if you don't have experience of Cisco Firewalls the Juniper is probably the easier of the two to configure from scratch.

Just remember to put the Win2k3 sever in the DMZ and only open the bare minimum of ports from the LAN to DMZ server required to access email from the server and get the webpages up (via ftp?). You really shouldn't need to open any ports back from the DMZ server back to the LAN, for a server running web and email.
 
nickcardwell said:
look into fortigate /fortinet.

The features provided are excellent considering the costs (fairly cheap)

annual costs much cheaper than most of the competition
Click to expand...

This is true, however they're also bug ridden and break in some comically amusing ways (or would be comically amusing if it wasn't quite so important).

Unfortunately it's the old game - features, reliability, price - pick any two.
 
nickcardwell said:
look into fortigate /fortinet.

The features provided are excellent considering the costs (fairly cheap)

annual costs much cheaper than most of the competition
Click to expand...

i'm currently supporting two pairs of ha fortigates. they are 'ok', but i wouldn't recommend them by any stretch of the imagination. i miss my juniper firewalls!
 
Slightly off topic, but ive always wondered this:
Do products like Cisco ASA provide a full hardware replacement for something like ISA or TMG?
As in, firewall, VPN connectivity with AD Auth, port forwarding, 'presentation' of an internal site, like OWA or a normal IIS, etc; ?
 
Netscreen 5gt from the bay will be more than enough for your needs and you can get these for £50.
 
derfderfley said:
Just remember to put the Win2k3 sever in the DMZ
Click to expand...

I get the feeling this is not a dedicated web server/SMTP relay whore but a single server environment so I would suggest putting it on the Internal LAN and forwarding on the relevant ports.

No reason to leave the entire server in the DMZ which, by the sounds of it, is not a stripped down Web/Mail server and will likely have everything running. You do not want that in the DMZ on the open net.
 
this might be a bit of an over the top response, but i've based it on the fact that this is the enterprise section of the forum and i do security for a living and it really frustrates me when people just connect stuff to the internet without the proper controls in place. personally i would recommend the dmz approach here. also, if possible - and if you must use windows for internet facing services - please try and use the latest version if possible; 2003 is getting on a bit now.

if the server is on the internal lan and has ports forwarded from the internet, if one of the internet accessible services has a vulnerability (known or otherwise) that is compromised by an attacker, and if the compromise gives up administrative access to the server then you may as well assume the entire internal lan is compromised given that it is unlikely that there are any further controls once your inside the network; particularly if you're asking questions of this nature on a forum.

at least with the dmz approach there is a layer of separation between this internet accessible server and the rest of the environment. access from the internet should be restricted to the bare minimum for functionality, and no access from the dmz to the internal network should exist, unless it is absolutely necessary - for example, if the website is database driven then perhaps a sql connection to an internal database server might be required.

all connectivity should be based upon least privilege, should be authenticated, and should be logged. if the connectivity is of a sensitive nature then transport layer encryption should also be used as a minimum, and if any databases are involved that contain sensitive information then they ought really to be encrypted too. in addition, if any sensitive information is stored within a database then it ought to be separated from the internal network also, and access to it should be controlled on a least privilege basis. if you really wanted to go to town then web application layer fire-walling and intrusion detection/prevention should also be implemented.

don't forget to harden the box (there is no excuse for not doing this, there is plenty of information out there on how), ensure it is patched (not doing this is simply negligent), and also ensure it is running good quality and up to date software to protect against malicious code. this is really just the basic security-101 stuff, i could go on about secure web based application development also - but i wont. if your not entirely sure what you're doing then you shouldn't be placing services on the internet. try not to take this as a personal attack, that's not what it's meant to be, it's just my opinion - just look how many breaches are in the news these days; more often than not the majority of these are preventable.

hope this helps.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom