RE: [Full-Disclosure] Firewall solution for Windows 2003 Server

From: Chris Scott (cscott_at_fluidsmgmt.com)
Date: 04/25/04

  • Next message: Ondrej Krajicek: "Re: [Full-Disclosure] Firewall solution for Windows 2003 Server"
    To: <full-disclosure@lists.netsys.com>
    Date: Sun, 25 Apr 2004 02:25:43 -0500
    
    

    Consider also a hardware firewall that runs at Layer 2, this way you get the
    filtering but you don't have to do any routing or NAT. These are the same as
    "transparent" firewalls, as they do not have an IP address unless it is for
    a management interface. I believe Netscreen currently has the ability to run
    at Layer 2, and Cisco's PIX will have this ability soon with version 7.0 of
    Finesse (PIX operating system) which is due out later this year. I am not
    sure if Checkpoint offers this or not.

    You might consider a L2 firewall deployment combination with a Host-based
    Intrusion Prevention deployment such as the Cisco Security Agent, or a
    combination Host IPS/Firewall such as Sygate's offering. I like the Cisco
    Security Agent because it is behavioral-based (it doesn't need signature
    updates). Sygate needs signature updates, however it is very easy to manage.
    CSA is a little more stubborn on the management side, in my opinion.

    Also, you might want to check into network-based Intrusion Prevention
    systems. Netscreen and Tipping Point would be two to look at, I believe one
    of the handlers at ISC is also working on one. These devices will go a lot
    further in the inspection of traffic than a standard firewall would. They
    are basically IDS systems that sit in-line, to give you an idea of their
    inspection abilities. They also can run at L2.

    If I had to choose between a hardware firewall (L2 or L3), a software
    firewall/IPS deployment, or an in-line IPS device to protect my server farm,
    I'd probably choose the in-line IPS device but only after it was tested for
    false-positives/negatives. If the false-positives/negatives rate was too
    much, I'd take the hardware firewall. I simply do not trust software
    firewalls installed on the server enough to act as the only layer of
    protection for the server farm. They are good to augment existing server
    farm defenses, but I would use them only in that role, as augmentation. I'd
    choose the in-line IPS device over a firewall because of it's detailed
    inspection abilities. However, like I mentioned I would test the device hard
    for false-positives/negatives. They aren't as much of a problem now as they
    were with early IDS devices, but they still exist and can still be fatal in
    a production network.

    Just my $.02

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Ondrej Krajicek: "Re: [Full-Disclosure] Firewall solution for Windows 2003 Server"

    Relevant Pages

    • Re: location of an IPS
      ... > Where should one place an TippingPoint Unity 50 IPS device? ... Broadly speaking in front of the firewall ... remember is to look for outgoing attacks as well, ... Broadly speaking you're saying "it's broken" to which I can only say ...
      (Focus-IDS)
    • location of an IPS
      ... Where should one place an TippingPoint Unity 50 IPS device? ... I have a/the TippingPoint behind a Check Point firewall. ... with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: can sasser& Blaster get to the computer?
      ... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: can sasser& Blaster get to the computer?
      ... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
      (microsoft.public.windowsxp.network_web)
    • Re: can sasser& Blaster get to the computer?
      ... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
      (microsoft.public.windowsxp.general)