3rd Party Firewalls on Domain Controllers.

[Guest]

I've been looking into the features of the firewall now included with W2K3
sp1 and while I think its great MS is now including a firewall on it's server
software. I'm not sure their 'first iteration' firewall has a rich enough
feature set to do specialized rule logging or selectivitly block problem
machines.

So, I'm wondering what 3rd party firewalls people have been installing on
their Windows AD Domain Controllers, specifically on Windows 2000 server
Domain Controllers right now, but eventually on Windows 2003 server Domain
Controllers.

Anyone who has an opinion on or experience with this issue please
reply to this thread. I'd be curious to know the following....

- What 3rd party firewall software has worked on Domain Controllers.
- And any DC specific configuration issues I should be aware of.

- What 3rd party firewall software is a problem (has not worked well) on
Domain Controllers.

- What firewall features are important with reguard to firewall software
installed on Domain Contollers.

Thanks in advance for any info you can offer on this topic.

 

[Cary Shultz [A.D. MVP]]

Bill,

Not an expert on Networking Hardware Security devices so take this with a
grain of salt!

I would - were money not an issue - opt for a Hardware solution. Both
SonicWall and Cisco have outstanding Firewalls. As do many others ( there
are too many to name and I am somewhat familiar with those two that I did
name.... ). I would also consider using IPCop or SmoothWall - both Linux
Distribution solutions.

I would be very hesitant to run any Firewall on a Domain Controller. Now,
the SBS guys and gals are probably going to shoot me for this as ISA is a
pretty good solution. I would prefer to run that sort of software - were I
to use it over a hardware solution - on a dedicated machine. And it can be
a low end workstation class machine...a nice PIII-450 with 128MB of RAM
would do the trick nicely.

Not sure if this helps any.

And I am not that familiar with WIN2003. I know that SP1 'breaks' some
things.....have read a couple of posts but have not done any investigating
just yet.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Lanwench [MVP - Exchange]]

I've been looking into the features of the firewall now included with
W2K3 sp1 and while I think its great MS is now including a firewall
on it's server software. I'm not sure their 'first iteration'
firewall has a rich enough feature set to do specialized rule logging
or selectivitly block problem machines.

So, I'm wondering what 3rd party firewalls people have been
installing on their Windows AD Domain Controllers, specifically on
Windows 2000 server Domain Controllers right now, but eventually on
Windows 2003 server Domain Controllers.

Anyone who has an opinion on or experience with this issue please
reply to this thread. I'd be curious to know the following....

- What 3rd party firewall software has worked on Domain Controllers.
- And any DC specific configuration issues I should be aware of.

- What 3rd party firewall software is a problem (has not worked well)
on Domain Controllers.

- What firewall features are important with reguard to firewall
software installed on Domain Contollers.

Thanks in advance for any info you can offer on this topic.

I don't run software firewalls on servers...except maybe ISA.
I go for hardware appliances.

 

[Guest]

Thanks to both of you for your replies.

I do understand the methodology of putting something (hardware/software) 'in
front' of a DC. However, depending on the number and "network logical"
location of each DC in a forest this may not be practical.

With all the possible viruses, trojans, spyware, and rootkits, coming via
web, p2p, mail & IM, along with moble wireless clients issues), even with an
Internet border and a series of central firewalls in place, you can't really
protect a DC now days from all possible threats without literally putting a
firewall/IDS/IPS in front of every one of them. And with the peer
functionality of AD-DCs you are only as strong as your weakest DC so you
can't leave any of them un-protected.

I believe as part of 'hardening' all nodes on a network, that it's likely at
some point even DCs will be 'internally' running Firewall, IDS or even IPS
software individually just like we are doing on current client desktop and
member server machines.

I was just curious if the time had come yet for that trend to include domain
controllers.

Since MS is obviously lookiing at this direction with their "WF" on W2K3sp1
(which as far as I can tell is also recommended to be run on DC configured
machines). I just wanted to know if anyone had already worked through this
solution or even given it much thought.

Again, any additional input or advice would be appreciated.

 

[Ryan Hanisco]

Hi Bill,

You 're right in that MS is putting the firewall on the servers to help
combat the increasingly annoying threats to the platform. You'll find that
this is only a hardening of the OS and should only be considered as such.

Nothing fills the role of a dedicated hardware firewall at your perimeter
and an IDS solution. I tend to go with Cisco whenever possible but there
are other players in the market and afford others their own opinions.

I would not, however, be tempted to install a third party firewall on a
server. First, you won't be able to rule out interactions with other
applications and server functions so this is especially unattractive.
Second, these products are usually in-place to monitor other traffic or to
act as a gateway -- not something you want competing for server resources.

 

[Guest]

Ryan, thanks much for your input.