Is software firewall nessasery if hardware is available?

[paul dallaire]

HI! I have being having allot of trouble getting the personal firewall of
(Norton Internet Security) to work with IIS server.

with the PF turned off all is ok. its fine through my router and with my
shared DLS connection but once its on both IE and my FTP client just
timesout.

I have d-link router with a built in firewall. is this good enough? I am
just going through all this for an overkill?

I have the virus scanner/adware scanner/spyware scanner/ and all is fine
right now.

what do you guys think?

 

[Leythos]

HI! I have being having allot of trouble getting the personal firewall of
(Norton Internet Security) to work with IIS server.

with the PF turned off all is ok. its fine through my router and with my
shared DLS connection but once its on both IE and my FTP client just
timesout.

NIS was not designed to be run on a Server.

I have d-link router with a built in firewall. is this good enough? I am
just going through all this for an overkill?

Your D-Link router is probably just a NAT box and not really a firewall.
The router will allow you to pass 80/444/FTP ports through to the server,
but it's not going to do much in the way a firewall would.

I have the virus scanner/adware scanner/spyware scanner/ and all is fine
right now.

what do you guys think?

I suspect that you don't have server quality Virus Scanner installed, just
a client virus scanner, you've probably not run the MBSA to determine if
the machine is locked down, probably not disabled services you don't want
people using, and you should have renamed the Administrator account and
forced LARGE NASTY passwords on all accounts on this box.

Look at some of the MS articles on securing a web-server and make sure you
follow their directions or your going to have a compromised machine in
short time.

 

[Mike Brannigan [MSFT]]

Good security is about defence in depth.
So have your hardware solution (if it really is one) and also layers of more
hardware and software too.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Guest]

Adding to both responses, defense in depth is critical and NO your DLink
firewall is not enough.

I suggest a true appliance firewall. Depending on your budget and number of
users, you can get away with a SMB firewall like a Netscreen, Cisco PIX, or
Nokia Firewall for your network defense.

I suggest a host firewall on your IIS server.

And I suggest URLScan to proactively defend your IIS server.

There are no shortcuts to security, especially on an Internet-facing Web
server.

 

[paul dallaire]

HI! thanks for the response. what do you suggest as a host firewall for my
IIS server?
What is a URLscan and where can I look for the software?
What is a SMB?

 

[paul dallaire]

HI! thanks for the response. Its tell in the docs how to setup a set FTP
software. IF it does not support it then why have the docs on it?

I am running WIn XP Pro Sp2. not server.

 

[paul dallaire]

Thanks for the response.

Good security is about defence in depth.
So have your hardware solution (if it really is one) and also layers of
more hardware and software too.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Guest]

Responses below.

It depends if your Web server is in a DMZ (protected network behind a
firewall but isolated from your intranet) or connected to your internal
network.

If it's in a DMZ, the appliance firewall is good enough for starters. This
would be good enough for most networks.

An added layer of host firewall would help on your Web server if there are
other devices in the DMZ. If one of those devices ever got hacked, you know
that the Web server has another firewall to defend attacks from it's
neighboring DMZ servers.

If you go this uber-secure route, Windows 2003 has a built-in firewall that
can block ingress (inbound) attacks. That should do it. Although you could
go nuts and run a CheckPoint or other similar Enterprise-class firewall right
on that system, BUT it's not worth it.


It has saved a bunch of my client's booties and is an awesome Microsoft FREE
application-- (if only Apache had this software)
http://www.microsoft.com/technet/security/tools/urlscan.mspx
Description of both tools: http://www.securityfocus.com/infocus/1755
http://www.microsoft.com/technet/security/tools/locktool.mspx

Small-Medium Business

 

[Guest]

Responses below.

It depends if your Web server is in a DMZ (protected network behind a
firewall but isolated from your intranet) or connected to your internal
network.

If it's in a DMZ, the appliance firewall is good enough for starters. This
would be good enough for most networks.

An added layer of host firewall would help on your Web server if there are
other devices in the DMZ. If one of those devices ever got hacked, you know
that the Web server has another firewall to defend attacks from it's
neighboring DMZ servers.

If you go this uber-secure route, Windows 2003 has a built-in firewall that
can block ingress (inbound) attacks. That should do it. Although you could
go nuts and run a CheckPoint or other similar Enterprise-class firewall right
on that system, BUT it's not worth it.


It has saved a bunch of my client's booties and is an awesome Microsoft FREE
application-- (if only Apache had this software)
http://www.microsoft.com/technet/security/tools/urlscan.mspx
Description of both tools: http://www.securityfocus.com/infocus/1755
http://www.microsoft.com/technet/security/tools/locktool.mspx

Small-Medium Business

 

[paul dallaire]

OK since I am not sure if it is DMZ here is my configuration. tell what it
is.

My DSL modem's main connection Rs2/32 is plug into the main port in my
D-Link 604 router ( Internet Broadband Router). then the other 2 computers
are coming out of the routers child ports.

First computer running WinXP pro was used to create the network disk to
configure the win98 computer.
both computers are sharing sources and are networked together.

Both computers are sharing the modem through the router. BUT its the WinXP
PRo that starts the DSL modem connection. ( In other words if the winxp pro
computer goes down then the win98 computer can NO longer connect to the
internet.)

With this explanation What is this configuration called? is this a DMZ
What firewall software could be used to help me if needed at first?

 

[Leythos]

HI! thanks for the response. Its tell in the docs how to setup a set FTP
software. IF it does not support it then why have the docs on it?

I am running WIn XP Pro Sp2. not server.

I had a suspicion that you were running a workstation instead of a server.
You're still in the same boat, you also risk your other computers should
the public one become compromised.

Your 604 router is just a simple NAT box with no real firewall installed
and no means to have two network segments - we would call one segment the
LAN and the other the DMZ - typically there is none or little connection
between the DMZ and the LAN, and your non-public computers sit in the LAN
segment. With this type of setup your computers in the DMZ can't reach the
computers in the LAN should a DMZ computer become compromised.

There are ways to build a cheap LAN/DMZ, but you need two routers:

INTERNET
|
ROUTER 1
| < DMZ SEGMENT
| < 192.168.0.0/24
ROUTER 2
| < LAN SEGMENT
| < 192.168.1.0/24

In this setup your LAN computers are able to access the DMZ WEB/FTP
computers, but, unless you make ports back into ROUTER 2, the DMZ
computers can't reach the LAN segment. All computers can reach the
Internet through the routers.

Now, you do understand that your Workstation is limited to 10 sessions at
a time - meaning that your web site is very limited in how many users can
access it?

You might also want to consider using something other than the built-in MS
FTP service - Take a look at FileZilla, it's an OpenSource FTP Server
that runs on the Windows Platform and is much easier and feature rich than
the MS FTP service - and it doesn't require a Windows User Account - since
you're not going to allow anonymous access to the FTP site (it would be
bad to allow FTP Write access to the world).

FileZilla server can be found here:
http://filezilla.sourceforge.net/

 

[Guest]

To answer your original question (Is software firewall nessasery if hardware
is available?), you already have a hardware firewall, the D-Link 604 and
*maybe* you need one on the XP machine if it's running IIS, but I would at
least run URLScan on your IIS server.

You're on a DSL network and it sounds like it's for your small business or
home. I don't suggest anything super expensive, but effective. The DLink is
OK for home use as a firewall, but it's the bare minimum as firewalls go.
Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class
firewalls for small medium business.

For the XP system running IIS, the XP SP2 firewall is sufficient, but know
that it will only protect you from ingress (inbound) threats. Once you get
malware on that system, it can talk out of it all day long. At that point,
you switch to a more powerful software firewall meant for servers.


For your recent question about the DMZ:
1. No, you do not have a DMZ.

Typical DMZs look like:

Multi-homed Firewall/DMZ Design
Internet---FW--intranet
|
DMZ

OR

Sandwich DMZ Design
I---FW--DMZ--FW--i

You have neither, you have:
I--FW (DLink)--i (where your XP/IIS server and 98 systems are)

Your server is directly connected to your end systems and cannot be isolated
by the hardware firewall. This is the reason why people are saying to add a
software firewall--isolation and threat mitigation.

There are a ton of great firewall books that you may want to read.

Good luck!

Hope this helps.

 

[paul dallaire]

HI! what would you suggest as a more powerful software firewall meant for
servers.
If you can give me a few programs names for me to check out.?

 

[paul dallaire]

HI! Why would you call the d-link a NAT box ? why would they list it as a
Router? can you explain I don't understand.

I do under now about isolating the two.. what would you recommend as a good
router that is low price but good for my situation as a starter. I will in
the future get a good hardware firewall but for now I would like decent
protection.

another thing if I do get another good router can I still use the d-links
firewall between the LAN part as the other more advanced firewall filters
the IIS Servers connections and other Pub connections?

 

[Matt Gibson]

ISA Server for one.

Personally, I don't use software firewalls alone on servers.

Matt Gibson - GSEC

 

[Leythos]

HI! Why would you call the d-link a NAT box ? why would they list it as a
Router? can you explain I don't understand.

The 604 is just a ROUTER that provides NAT, it's not a firewall, look up
what makes a firewall a firewall sometime. Those types of devices get
marketed as what they feel they can get away with. I won't go into what a
router is, what NAT is, or what a firewall appliance is, you can google
for all of that.

I do under now about isolating the two.. what would you recommend as a good
router that is low price but good for my situation as a starter. I will in
the future get a good hardware firewall but for now I would like decent
protection.

Any of the cheap units, the under $300 range, offer the same features for
the most part - they are all just NAT boxes. There is no cheap SOHO single
router like the 604 that provides for a full isolated DMZ and LAN areas.
The separation is critical in protecting the LAN from the DMZ. As I showed
in the diagram you can build your own using two cheap routers in series
with each other - the DMZ area is the first router inside the network and
where you put the public machines, the LAN area is on the other side of
the second router.

another thing if I do get another good router can I still use the d-links
firewall between the LAN part as the other more advanced firewall filters
the IIS Servers connections and other Pub connections?

The D-Link 604 is not a firewall, it's a router with NAT. You could use
two D-Link 604 units to build your LAN/DMZ just like I show below (in the
quoted text). You just need to make sure that each network is a different
IP range.

Firewall appliances are costly, starting units run $400+ on average, most
of the good ones run $1700+. Since you are only using a workstation OS and
not a server you've not invested a lot, so a dual router solution would
protect you well enough as long as you lock-down the publicly accessed
system.

 

[Leythos]

HI! what would you suggest as a more powerful software firewall meant for
servers.
If you can give me a few programs names for me to check out.?

Without the experience to understand securing the OS and also setting up a
secure Personal Firewall Application on the workstation you would not be
in good shape for securing the web workstation. Keep in mind, your running
a Workstation version of the Operating System, not a server.

Use of Dual Routers, even the NAT Boxes like the 604 (which is not a
firewall) will provide more protection than a improperly configured
personal firewall application.

If you look at the design that Phil mentions, he shows a DMZ area
separated from the LAN area - in a cheap way you can achieve the same
solution with two routers (like the 604).

 

[Guest]

It depends on the application.

Are you a Small-Medium Business or SOHO?
Enterprise?

For SOHO and SMB use:
Microsoft ISA or you can run the built-in firewall for win2k3 and XP.

For Enterprise use:
Microsoft ISA or you can run commercial quality firewall on the server
itself--Check Point Firewall-1 (although it's very expensive and probably
overkill)


I am just going by the title of this thread, but if I were hit the brakes
for a moment, I'd suggest a different route for Web server security in
conjunction with IIS Lockdown and URLScan--Server Intrusion Prevention
Systems (IPS).

Here are some technologies to consider, my favorite being Sana Security
Primary Response:
http://www.sanasecurity.com/

I've tried BlackICE/RealSecure Server Sensor and Okena, but they really play
havoc on the stability of a production network.
http://www.iss.net/products_services/enterprise_protection/rsserver/protector_server.php
http://cisco.com/en/US/products/sw/secursw/ps5057/index.html

When deploying these solutions, I highly suggest using them on learning mode
with alerts, whcih basically relegates this IPS software into an Intrusion
Detection System (IDS).

Other IDS / IPS - Host-based technology:
Cisco Security Agent (fka Okena) - v 4.0
Enterays Dragon Squire - v5.0, 6.x
ISS RealSecure Server Sensor - v5.5, 6.0, 7.0
McAfee Entercept - v 4.x, 5.0
Nagios.org - v1.0
NFR HID - v1.0
Symantec Host IDS (fka ITA) - v3.6
Sana Primary Response – v2.0

 

[paul dallaire]

HI! When you say IIS lockdown does this mean firewall protection?

Is Microsoft ISA an OS Server platform with firewall protection or is a
add-on to an OS such as My WinXP pro or Server?

 

[paul dallaire]

HI! Thanks allot for all the info. I will read up on things.

Thanks again for all your help

Paul