RE: [Full-Disclosure] Firewall solution for Windows 2003 Server
From: Chris Scott (cscott_at_fluidsmgmt.com)
To: <firstname.lastname@example.org> Date: Sun, 25 Apr 2004 02:25:43 -0500
Consider also a hardware firewall that runs at Layer 2, this way you get the
filtering but you don't have to do any routing or NAT. These are the same as
"transparent" firewalls, as they do not have an IP address unless it is for
a management interface. I believe Netscreen currently has the ability to run
at Layer 2, and Cisco's PIX will have this ability soon with version 7.0 of
Finesse (PIX operating system) which is due out later this year. I am not
sure if Checkpoint offers this or not.
You might consider a L2 firewall deployment combination with a Host-based
Intrusion Prevention deployment such as the Cisco Security Agent, or a
combination Host IPS/Firewall such as Sygate's offering. I like the Cisco
Security Agent because it is behavioral-based (it doesn't need signature
updates). Sygate needs signature updates, however it is very easy to manage.
CSA is a little more stubborn on the management side, in my opinion.
Also, you might want to check into network-based Intrusion Prevention
systems. Netscreen and Tipping Point would be two to look at, I believe one
of the handlers at ISC is also working on one. These devices will go a lot
further in the inspection of traffic than a standard firewall would. They
are basically IDS systems that sit in-line, to give you an idea of their
inspection abilities. They also can run at L2.
If I had to choose between a hardware firewall (L2 or L3), a software
firewall/IPS deployment, or an in-line IPS device to protect my server farm,
I'd probably choose the in-line IPS device but only after it was tested for
false-positives/negatives. If the false-positives/negatives rate was too
much, I'd take the hardware firewall. I simply do not trust software
firewalls installed on the server enough to act as the only layer of
protection for the server farm. They are good to augment existing server
farm defenses, but I would use them only in that role, as augmentation. I'd
choose the in-line IPS device over a firewall because of it's detailed
inspection abilities. However, like I mentioned I would test the device hard
for false-positives/negatives. They aren't as much of a problem now as they
were with early IDS devices, but they still exist and can still be fatal in
a production network.
Just my $.02
Full-Disclosure - We believe in it.