Firewall

[Adam Thornton]

Here's the deal. We are trying to implement a kind
of "poor man's firewall." My question is how easy is it to
place two NIC cards into a Windows 2000 machine (one card
having access to the router/ISP, the other having access
to a switch) to have a firewall for security purposes. We
were wanting to test the security capabilities of Windows
2000 and its firewall. Is this possible? Are there any
other cheaper alternatives? Is this even worthwhile?
Thanks in advance for any help!

 

[Robert Cowling]

We ran into huge issues with a 'multihomed' 2000 server
back years ago.

I'd not do it. Plus if there are things on that server
that you want secure, any breaches could leave no security
and data loss or worse...

A cheap NetGear or a PIX 504 firewall would be better then
trying to cobble something together and hopeing that it
works... IMO

 

[Steven L Umbach]

If you are talking about W2K Server you can use rras and NAT and configure
input and output filters. For W2K Pro there is no firewall and you would end
up using ICS which acts as a basic NAT router. I suppose you could also try
configuring ipsec filtering on just the external adapter. You may be better
off with a lower end firewall device such as the Netgear ProSafe line
[starting less than $100] which is a true SPI firewall and has some
configuration to restrict outbound access though the number of rules to
create are rather limited. A lot will use linux for such a purpose. I am not
a big linux user, but it is pretty easy to install and configure these days
and the rules in the configuration file are pretty straight forward for the
firewall for iptables or ipchains. -- Steve

 

[Adam Thornton]

Well this is the situation. We are a non-profit
organization. We have appx 145 machines spread out over
about 10 locations. I, personally, am uncertain as to
which functions may be critical in order to purchase and
use a firewal. The Symantec SGS5440 would be ideal because
it has every possible function I could think of. My
supervisor gave me the idea of the "poor man's firewall"
that I mentioned. In another forum, a man suggested
setting up a NAT service
(http://support.microsoft.com/default.aspx?scid=kb;en-
us;310357). In addition to basic security and protection,
one of the main functions that we are looking to get out
of the firewall is email content screening (attachments,
etc). In an ideal situation, we could purchase a piece of
hardware and not sacrifice a computer. Some of you have
mentioned different firewalls. Are these cheap enough that
they are easy to break or would maybe not provide the
appropriate level of functinality? Would be better off
purchasing a higher end model or could we go with
the "poor man's firewall" that I mentioned earlier. Thanks
again and if I can answer any questions, please let me
know.

Adam Thornton

 

[Jim Cusson]

As for the content filtering for e-mail... Windows won't do that out of the
box for you. You're definitely looking for 3rd party software there. We
use SurfControl, but there are a number of options including outside
services.

--
Jim Cusson
Information Security Administrator
CompassBank for Savings
One Compass Place
New Bedford, MA 02740

If you are talking about W2K Server you can use rras and NAT and configure
input and output filters. For W2K Pro there is no firewall and you would end
up using ICS which acts as a basic NAT router. I suppose you could also try
configuring ipsec filtering on just the external adapter. You may be better
off with a lower end firewall device such as the Netgear ProSafe line
[starting less than $100] which is a true SPI firewall and has some
configuration to restrict outbound access though the number of rules to
create are rather limited. A lot will use linux for such a purpose. I am not
a big linux user, but it is pretty easy to install and configure these days
and the rules in the configuration file are pretty straight forward for the
firewall for iptables or ipchains. -- Steve

Here's the deal. We are trying to implement a kind
of "poor man's firewall." My question is how easy is it to
place two NIC cards into a Windows 2000 machine (one card
having access to the router/ISP, the other having access
to a switch) to have a firewall for security purposes. We
were wanting to test the security capabilities of Windows
2000 and its firewall. Is this possible? Are there any
other cheaper alternatives? Is this even worthwhile?
Thanks in advance for any help!

 

[Jeff Cochran]

Here's the deal. We are trying to implement a kind
of "poor man's firewall." My question is how easy is it to
place two NIC cards into a Windows 2000 machine (one card
having access to the router/ISP, the other having access
to a switch) to have a firewall for security purposes.

Quite easy. Except you have to add firewall software to the system.

We
were wanting to test the security capabilities of Windows
2000 and its firewall. Is this possible?

W2K has no firewall.

Are there any
other cheaper alternatives?

Plenty. Smoothwall for example.

Is this even worthwhile?

A firewall isn't "worthwhile", it's a requirement. Linux-based
firewall systems such as Smoothwall are free, relatively easy to
configure and can run on a system you'd normally discard. Plenty of
SOHO hardware firewalls also exist that would be inexpensive.

Jeff

 

[Guest]

You can try a low end Sonic Wall appliance for around $1000

-----Original Message-----
As for the content filtering for e-mail... Windows won't do that out of the
box for you. You're definitely looking for 3rd party software there. We
use SurfControl, but there are a number of options including outside
services.

--
Jim Cusson
Information Security Administrator
CompassBank for Savings
One Compass Place
New Bedford, MA 02740

If you are talking about W2K Server you can use rras and NAT and configure
input and output filters. For W2K Pro there is no

firewall and you would
end

up using ICS which acts as a basic NAT router. I

suppose you could also
try

configuring ipsec filtering on just the external

adapter. You may be
better

off with a lower end firewall device such as the Netgear ProSafe line
[starting less than $100] which is a true SPI firewall and has some
configuration to restrict outbound access though the number of rules to
create are rather limited. A lot will use linux for

such a purpose. I am
not

a big linux user, but it is pretty easy to install and

configure these
days

and the rules in the configuration file are pretty

straight forward for
the

firewall for iptables or ipchains. -- Steve

.