Re: Microsoft and their IPSEC security - no firewall?

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 12/06/03 

Date: Sat, 6 Dec 2003 08:02:00 -0500

Removing your firewall would be a huge mistake. I'm positive Microsoft uses
firewalls in front of at least some of their web servers where ever
possible, and recommends you do the same. [If you don't trust me, go to
www.microsoft.com/technet/security and read their recommendations on how to
secure your servers.] Additionally, at least some of their web servers are
probably not really "theirs" but are outsourced to a third party provider
that doesn't always use Windows for their servers.

Good security involves multiple layers of protection in case one level
fails. I don't see a good reason here for removing the firewall. In fact,
I see reasons not to do so: if you were hacked, you would have no idea
where the hacking came from, as there is no IP logging native in Windows
2000 unless you use a firewall. IPSec has no logging, and it won't alert
you if suspicious traffic that indicates a hack or an attack starts being
generated, and it won't let you look at amounts of traffic or analyze
traffic levels to see if the reason why your server is so slow in the future
is due to bandwidth or not.

Also, removing your firewall could put MORE stress on your web server, as
your firewall would otherwise be filtering out the 130,000 other unneeded
ports. If you're not blocking those other ports, hackers can get
information from those ports, even ones that are not listening. Since IPSec
is software, any virus or trojan or remote buffer overflow hack that gets to
somehow run on that computer can disable it. Or, what if IPsec somehow
fails to start or someone or something in the future accidentally disables
it? Or what if you install a patch and it re-enables a service you didn't
want running or the .dll file fails to be installed correctly, leaving you
still vulnerable?

Last, Microsoft might be able to do this because presumably they may have
experts that do nothing but Windows security all day and know how to
properly secure a Windows computer to be on the Internet with no firewall.
Most other Windows servers out there however have mistakes in their setup.
And even Microsoft gets hacked and/or forgets to put a patch on a machine
from time to time.

http://securityadmin.info/faq.asp#ipsec

"noname" <marketing@terago.ca> wrote in message
news:FebAb.183555$Fv8.102597@twister01.bloor.is.net.cable.rogers.com...
> Hello.
>
> i hope that this is the right place to send this, if not, please omit, or
> kindly direct me to a newsgroup that may help.
>
> A collegue of mine went to a security conference where Microsoft was one
of
> the keynotes. He learned that MS isn't running a firewall on their
> webservers because there isn't a firewall that is capable of scaling to
> their needs. all MS servers are patched ASAP and are running IPSEC for
any
> sessions to the server. Now, he wants to take away our perimter firewall
> (Cisco PIX), and do what MS is doing.
>
> Does anyone have any thoughts about this? Any pros/cons, experiences? Is
> there a name for this? I don't think this is a true application firewall
> gateway, but perhaps i am mistaken.
>
> thanks for any advice folks!
>
> ben
>
>