Re: Is software firewall nessasery if hardware is available?

From: Leythos (void_at_nowhere.lan)
Date: 02/14/05 

Date: Mon, 14 Feb 2005 19:11:32 GMT

On Mon, 14 Feb 2005 12:11:17 -0500, paul dallaire wrote:

> HI! thanks for the response. Its tell in the docs how to setup a set FTP
> software. IF it does not support it then why have the docs on it?
>
> I am running WIn XP Pro Sp2. not server.

I had a suspicion that you were running a workstation instead of a server.
You're still in the same boat, you also risk your other computers should
the public one become compromised.

Your 604 router is just a simple NAT box with no real firewall installed
and no means to have two network segments - we would call one segment the
LAN and the other the DMZ - typically there is none or little connection
between the DMZ and the LAN, and your non-public computers sit in the LAN
segment. With this type of setup your computers in the DMZ can't reach the
computers in the LAN should a DMZ computer become compromised.

There are ways to build a cheap LAN/DMZ, but you need two routers:

INTERNET
   |
ROUTER 1
   | < DMZ SEGMENT
   | < 192.168.0.0/24
ROUTER 2
   | < LAN SEGMENT
   | < 192.168.1.0/24

In this setup your LAN computers are able to access the DMZ WEB/FTP
computers, but, unless you make ports back into ROUTER 2, the DMZ
computers can't reach the LAN segment. All computers can reach the
Internet through the routers.

Now, you do understand that your Workstation is limited to 10 sessions at
a time - meaning that your web site is very limited in how many users can
access it?

You might also want to consider using something other than the built-in MS
FTP service - Take a look at FileZilla, it's an OpenSource FTP Server
that runs on the Windows Platform and is much easier and feature rich than
the MS FTP service - and it doesn't require a Windows User Account - since
you're not going to allow anonymous access to the FTP site (it would be
bad to allow FTP Write access to the world).

FileZilla server can be found here:
http://filezilla.sourceforge.net/ 

-- 
spam999free@rrohio.com
remove 999 in order to email me

Relevant Pages

  • Re: Web portal security
    ... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 NICs Configuration Problem
    ... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.windows.server.networking)
  • Re: Where to put the server
    ... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Help with long term network problem
    ... DATA by other machines on the LAN. ... Depending on the boot sequence of the computers this changed. ... dispensing with the dedicated server and just using on as file ...
    (microsoft.public.windowsxp.network_web)
  • Re: DC Replication help
    ... I have 3 DC on our LAN, and one on a remote site with only a 2mb link for DR ... found it had dropped off the domain and is no longer sowing in the computers ... If you had demoted a DC, the computer becomes a member server, and the machine account gets moved to the Computers Container. ... Microsoft Certified Trainer ...
    (microsoft.public.windows.server.active_directory)