At 09:59 AM 2/15/2006 -0700, you wrote:
>This may be a bit off topic here but I was wondering if you guys would
>make some recommendations regarding firewalls for Windows based servers.
This is sort of what I've done for the past 18 years, so rather
than make a recommendation let me give you the process I use to
determine what is the best bang for the buck. I'll speak only of
hardware firewalls in this subject.
Generally speaking most firewalls are a NAT device. You've
a private address range and a public one, and you write up rules that
define access from the public to the private. You can run anything
from a $39.95 Linksys DSL router to a $50K Nokia 530 running Checkpoint
NG and still have this basic topology. What gets interesting is how
granular you can make those rules.
OK, so for basic web and a HL server that Linksys is about
as good as a Checkpoint. You're going to open certain ports inbound,
the standard outbound NAT rule handles outbound traffic, just basic
port forwarding is all that's needed.
Needed. The Linksys has one IP address so for port 80 you've
one internal host you can forward it to. Something like a Cisco 501
Pix firewall can do some other things, like 1-1 NATs so you can have
multiple public IP addresses and map those to multiple private IP
addresses. The Pix also does things like examine traffic and look
for known attack method and block those (SYN attacks and the like).
But, the Pix costs money. If you need something like h.323
compliance where both the packet header and the packet data go
through the NAT process you're looking at the Checkpoint device.
There's a lot of overlap here, I'm just picking on these devices
because they're three very different price levels.
Then there's speed. Any of these devices can do 100Mbps
on the interfaces, but once you start processing packets through a
rule-base the slow-CPU Linksys is going to pale against the Pix
and the Nokia. How fast do you need to go?
So when evaluating firewalls I go on three criterion:
1) my present and future needs, ie can I do this all with one
public IP address, 2) speed, and 3) price. For a basic HL server
the cheap Linksys will work. For a HL server, webserver, maybe
a mail server, you can still use that device. For a couple of
HL or mail servers, you just bumped to two firewalls and a host
of internal routing fun or a Pix. If you want to get just down
to the individual protocol and special rules, now you're looking
at the Checkpoint.
So, first draw out your topology. That's going to
determine exactly what piece of kit will be necessary.
Next, forwarding a range of udp ports for HL is not much of
a security risk, and any of the above can handle it. If you
need to open ports at random, you're looking at higher-end units.
- Dan
* Dan Sorenson DoD #1066 A.H.M.C. #35 [EMAIL PROTECTED] *
* Vikings? There ain't no vikings here. Just us honest farmers. *
* The town was burning, the villagers were dead. They didn't need *
* those sheep anyway. That's our story and we're sticking to it. *
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
