RE: win2k firewall
From: Mark S. Searle (Mark.Searle@lon.ipalliance.net)
- Previous message: Jack McCarthy: "RE: Security+"
- Maybe in reply to: Dejan: "win2k firewall"
- Next in thread: Paul Carroll: "RE: win2k firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 6 Jan 2003 16:57:18 -0000 From: "Mark S. Searle" <Mark.Searle@lon.ipalliance.net> To: "Dejan" <firstname.lastname@example.org>, "Security-Basics" <email@example.com>
In all honesty if you are planning to use the box as a web server then it is best not to put a software firewall on it at all. Any firewall software will seriously impact on server performance if the hit level is high. Rather it would be a better idea, and in-line with common sense, to move the security layer away from the web server and just let the server fulfill its own function. Its always best to use a dedicated firewall in my opinion. A Cisco PIX firewall or Nokia firewall may do the job nicely. Cisco firewalls can be picked up fairly inexpensively on eBay. It would be best to move the web server to a DMZ on your firewall and only allow access to port 80 and 443 (if using SSL) on your server. As a further precaution you can privately number your web server and use NAT through the firewall to a global public address. You can also prevent people from using your server as a "hop point" if they manage to break through your firewall ACLs on a Cisco PIX by restricting your static entries which prevents the web server from initiating connections out to the Internet.
Hope this gives you some ideas.
From: Dejan [mailto:firstname.lastname@example.org]
Sent: 05 January 2003 20:02
Subject: win2k firewall
anyone can recommend software firewall for win2k adv. server ? it is planed
to be used as web server.
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.