General Firewall question

[lorne]

Hi everyone,
This is just a general question for anyone....
on a network consisting of 8 workstations and a w2k server, should there be
firewall software run on the server? the workstations are all win xp pro
with sp2. 2 of the employees live on their msn messenger and icq chat ALL
day long as well as download music (they are the boss's daughters so they
can "do as they please".
I am finding that I am constantly fighting viruses and recently had to
reinstall the OS on the server as it appeared to be compromised.
Is there any special firewall software that can be used on the server to
help protect it and allow me to block the chat and download stuff?

thanks for suggestions

 

[Jud]

Hi everyone,
This is just a general question for anyone....


You have a Server connected to the Internet and you aren't using a

Firewall at all ????

Yes you should have one as well as spyware programs and trojan scanners.
Without them you are basically wide open to the whole world.

The workstations should also have Anti-Virus installed, one that updates
itself regularly and also scans incoming and outgoing email.

I suggest you do a google on IT security on Win2K server and really bone up,
before the whole lot goes down.

Jud

 

[lorne]

all workstations have antivirus and spyware installed on them, the server is
using NAV 9 for antivirus and zone alarm as a firewall... i just thought
that there might be a better firewall to use like symnatec's...

 

[tray]

While running something like zonealarm on the server is better than nothing
(does zonealarm even work on a server?), a better way would be to get a
firewall applicance such as SonicWall or WatchGuard or Symantec (I think I
saw where Symantec puts out a "lower-end" firewall for small businesses). I
mention those because they have products more in line with small business
(price-wise). Symantec has high-end FW's, but I think they have a smaller
one also.

Be aware, however, that if users can demand that you "open up" the firewall
so they can still do everything they want, then there goes the usefullness
of the firewall. Also, just as a general example, lets say you deny the ICQ
protocol. They can still use ICQ thru HTTP.

Just my .02 worth.

 

[tray]

Oh, probably don't need to tell you, but make sure the "problem employees"
are locked down as tight as possible, DomainUser rights only, and make sure
they do not have any rights/permissions on the server they don't need, stop
unneccessary services on the server, possibly appy the high-security
template, etc etc

 

[lorne]

thanks tray...
i should mention that the server is only used as a storage for documents.
the server is not used for internet other than windows updates and antivirus
updates. the server also has a static ip. zone alarm sort of worked
however, it seemed to block everyone out so i guess it wasnt too helpful.

 

[tray]

Should all workstations and the server have AV: yes
Should all workstations and the server be behind a firewall: yes

You mentioned "downloading music"...have they installed a P2P file sharing
program? Is the company exposed to both "hacking" threats and Legal
Liablity, that is, illegal downloads?

Ultimately, the Boss is the Boss...but you need to make sure he is aware of
the Legal implications, and general threats from the Internet. There have
been some discussions in the past about system admin's being legally liable
also. I don't know the particulars about that, but you might want to check
it out.

If Boss/Management is not behind "being secure" then most of your attempts
will fail.

 

[Jim Byrd]

Hi Lorne - You might want to take a look at some of the suggestions in my
blog, Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/ especially concerning
SpywareBlaster, SpywareGuard, IESpy-Ad and using a HOSTS file at the end.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[lorne]

hopefully not a stupid question... but is the NAT in the router not enough
for a firewall for the server?
And maybe installing zone alarm on the workstations be sufficient?

 

[tray]

A NAT router doesn't forward to the LAN from the internet UNLESS a computer
behind the NAT router initiates the connection (supposedly). However, it
could be a trojan or a P2P file-sharing or whatever that has been installed
on a client computer that is actually "initiating" the connection (not to
mention the user themselve). Depending on the Firewall used, the Firewall
could look for and drop/block that kind of traffic.