Running a firewall on a seperate machine or the server itself is not a replacement for good security configurations and keeping the system patched and plugged.
If it is dedicated to being a webserver only, turn off non-essential services and stick it in a DMZ. As someone else mentioned using a software based firewall on the system itself could load it down if heavily trafficed, this may be a trade off however. If your hosting database integrated web applications or using it to pull double duty by running other networking services like a DC(I wouldn't recomend doing so) there are more precautions to consider. Use nmap or some other program to probe the open ports after turning off services and uninstalling uneeded programs. I guess this is starting to sound redundant redundant and a bit off from the original topic by now. :-) -Jimmy -----Original Message----- From: Daniel R. Miessler [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 10:41 AM To: 'H C'; [EMAIL PROTECTED] Subject: RE: win2k firewall -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Perhaps you're not familiar with what Code Red does. > First off, it doesn't attack the operating system, it > attacks the web server. Second, all that is required > to protect yourself against CR is to disable the > ida/idq script mapping. In fact, disabling unused > script mappings (ie, unnecessary or unused > services/functionality) is not only common sense, but > it's also all over every site that talks about > information security. Dude, my intention is not to debate with you about this or that little issue. Most don't run Apache on W2K - they run IIS. He asked what a good firewall was to put on a W2K server, and I said that he should use a solution that will monitor ALLOWED traffic. I can't possibly see what is wrong with this. He is asking what firewall he should use on a server, I said BlackIce. Do you know of another FIREWALL (Snort is an IDS) that he can put on a W2K server that will afford any protection over turning off services, i.e. one that will look for and block dangerous payloads in allowed traffic? The major issue, as you know, with firewalling a server is that you have to let things in. And since the vast majority of firewalls do nothing for inbound traffic, it is often said that putting a software firewall on a server is close to pointless. This is why I mentioned BlackIce - it is one of the few software firewalls that does offer additional protection for machines offering services. Granted, it does it by using a rulebase, but it does have some heuristic capabilities, and it is at least another layer to add to the weak link presented by allowed services. In short, I can't see what your beef is. The recommendation of a software firewall that runs on W2K Server and offers a unique protection feature is more than appropriate for this discussion, especially since that was the very question asked by the original poster. Please show me where I have gone astray. - -Daniel R. Miessler -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPhtQd1Jwf7WiYT5vEQLnYQCfey7VPI5+I3O2iEoRqwwkqRwuqvsAn0OB r3xqcagLGQS3QZbnbtcAS8Fj =YNjd -----END PGP SIGNATURE-----
