RE: [Full-Disclosure] Firewall solution for Windows 2003 Server

From: Chris Scott (
Date: 04/25/04

  • Next message: Ondrej Krajicek: "Re: [Full-Disclosure] Firewall solution for Windows 2003 Server"
    To: <>
    Date: Sun, 25 Apr 2004 02:25:43 -0500

    Consider also a hardware firewall that runs at Layer 2, this way you get the
    filtering but you don't have to do any routing or NAT. These are the same as
    "transparent" firewalls, as they do not have an IP address unless it is for
    a management interface. I believe Netscreen currently has the ability to run
    at Layer 2, and Cisco's PIX will have this ability soon with version 7.0 of
    Finesse (PIX operating system) which is due out later this year. I am not
    sure if Checkpoint offers this or not.

    You might consider a L2 firewall deployment combination with a Host-based
    Intrusion Prevention deployment such as the Cisco Security Agent, or a
    combination Host IPS/Firewall such as Sygate's offering. I like the Cisco
    Security Agent because it is behavioral-based (it doesn't need signature
    updates). Sygate needs signature updates, however it is very easy to manage.
    CSA is a little more stubborn on the management side, in my opinion.

    Also, you might want to check into network-based Intrusion Prevention
    systems. Netscreen and Tipping Point would be two to look at, I believe one
    of the handlers at ISC is also working on one. These devices will go a lot
    further in the inspection of traffic than a standard firewall would. They
    are basically IDS systems that sit in-line, to give you an idea of their
    inspection abilities. They also can run at L2.

    If I had to choose between a hardware firewall (L2 or L3), a software
    firewall/IPS deployment, or an in-line IPS device to protect my server farm,
    I'd probably choose the in-line IPS device but only after it was tested for
    false-positives/negatives. If the false-positives/negatives rate was too
    much, I'd take the hardware firewall. I simply do not trust software
    firewalls installed on the server enough to act as the only layer of
    protection for the server farm. They are good to augment existing server
    farm defenses, but I would use them only in that role, as augmentation. I'd
    choose the in-line IPS device over a firewall because of it's detailed
    inspection abilities. However, like I mentioned I would test the device hard
    for false-positives/negatives. They aren't as much of a problem now as they
    were with early IDS devices, but they still exist and can still be fatal in
    a production network.

    Just my $.02

    Full-Disclosure - We believe in it.

  • Next message: Ondrej Krajicek: "Re: [Full-Disclosure] Firewall solution for Windows 2003 Server"