Re: Packet Filtering on Win 2K server

From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 03/05/03 

From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com>
Date: Wed, 5 Mar 2003 11:29:48 -0500

I agree completely [netscreen, bsd firewall, ipsec]

More info that may help:

http://securityadmin.info/faq.htm#firewall
http://securityadmin.info/faq.htm#ipsec

and all this is no replacement for hardening the server properly, starting
with:

http://securityadmin.info/faq.htm#harden

Some people recommend you do no web browsing or email checking on a secure
server, as it could introduce certain risks.

"Edward W. Ray" <support@mmicman.com> wrote in message
news:ufk41ip4CHA.2324@TK2MSFTNGP10.phx.gbl...
> IE should not depend on having ports open. IE is a client, so as long as
> the TCP ephemeral ports (1024 - 65535) are open and available, IE will use
> them to connect to the web site of your choice on TCP port 80. I would
> suggest you use two NIC cards; one for server (FTP, SMTP) connections
only,
> the other for web surfing. Or just diable the packet filtering feature
and
> use ISA or hardware firewall for port blocking. If it is a server serving
> external/internet, I would not recommend surfing from it anyway, as it
> presents a security risk.
>
> IPsec is a better choiuce for packet filtering, should you decide to use
it.
>
> Define "low-cost." For me, it is a Netscreen 5XT with the 10 user option
> for $695. Unlimited user is about $300 more. Is a ICSA-qualified
stateful
> packet filter firewall with allowance for up 2000 sessions at one time.
>
> If you need more sessions, I suggest you configure an OpenBSD or Linux box
> as a firewall, using an old machine, i.e. PII 266MHz or better will do.
> Make use of the old secretaries machine or something. You will have to do
> the research on how to set it up yourself, but the hardware cost is
> negligible (just a few NIC cards) plus Linux (free) or OpenBSD ($40_ OS.
>
> Good luck!!
>
> Edward Ray
> GCIA
>
>
> "Troy Harnish" <troy@nospam.ca> wrote in message
> news:06e501c2e294$05e005c0$3301280a@phx.gbl...
> > Hi; I need some help with TCP IP packet filtering on
> > Windows 2000 Advanced Server. These servers will be
> > exposed to the Internet as web servers, as well as
> > hosting mail on a third party product. I need help with
> > making them a bit more solid.
> >
> > After I enable packet filtering in the NIC properties, I
> > enable ports 20, 21 (FTP), 25 (SMTP), 53 (DNS), 80 (WWW
> > server), 110 (POP 3), on both TCP and UDP (all protocols
> > allowed). Seems to work OK, port scan shows no other
> > ports open, but I now cannot surf from this machine
> > (configured as a SecureNAT client through ISA). Works
> > without the packet filters... What else do I need to open
> > up to get IE to work? Or can I set it so that it only
> > uses port 80, and no dynamic ports?
> >
> > Further, does anyone know of a low cost firewall that
> > will do stateful inspection, but allow very simple
> > blocking of ports, dynamic opening, etc.? I tried ISA,
> > but it doesn't like hosting sites on the same box as ISA
> > (even after the work arounds for socket pooling), and
> > just takes too much work.
> >
> > Thanks,
> >
> > Troy
> > Troy@nospam.ca (replace nospam with seabird)
>
> 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003

Relevant Pages

  • Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
    ... > fairly tight(only allowing 4 ports in), but perhaps I could tighten it ... The host systems firewall rules govern the access to the jailed system. ... What connections does your server need to ... Perhaps there is a 0-day for your ftp server out there. ...
    (Incidents)
  • Re: Add 2nd NIC after intial install?
    ... My biggest question with 1 NIC is: even if workstations are protected with individual firewall products, what is protecting the SBS server itself if ports are open for remote access through the Linksys firewall? ...
    (microsoft.public.windows.server.sbs)
  • Re: Source Code to Filter out WindowsMessenger POP-UPS
    ... Zone Alarm does NOT support 'server'. ... Very few ports are open, ... >What you are asking for amounts to a firewall. ... I would NOT search for source code to compile ...
    (microsoft.public.inetserver.iis.security)
  • Re: Using Office Outlook with exchange server behind windows firewall
    ... On our network I have windows firewall turned on, on both my small business server and my windows xp workstations. ... Based on an article I read about all the ports that exhange may use I also tried making exceptions for ports ...
    (microsoft.public.windows.server.sbs)
  • Re: NETFW.INF, Preconfigured Firewall settings and dialogs
    ... it is Windows Server 2003 SP1 firewall that i'm using. ... Using the document '832017 Port Requirements for the Microsoft Windows ... > to achieve the following goal: some ports are open by default and others ...
    (microsoft.public.windows.server.networking)