Beta

# What is the Best Firewall for Servers?

673

### Re:at the risk of getting flamed into submission.. (-1, Flamebait)

This comment was hidden based on your threshold setting.

#### Hightest | more than 8 years ago

Can you give me the name of your University, so I can recommend people not attend a University that uses Windows 2003 or XP server in there labs.

### now that is funny (0)

This comment was hidden based on your threshold setting.

Solaris 10 :)

### Smoothwall (4, Informative)

This comment was hidden based on your threshold setting.

### Re:Smoothwall (1)

This comment was hidden based on your threshold setting.

#### m0topilot | more than 8 years ago

I second that... Smoothwall is very good especially when you can recycle old computers and its cheap! There are also smoothwall hacks out there that help you extend it.

### Re:Smoothwall (-1, Flamebait)

This comment was hidden based on your threshold setting.

#### Anonymous Coward | more than 8 years ago

Don't forget that the developer is a prick.

### Re:Smoothwall (0)

This comment was hidden based on your threshold setting.

mod parent up

### I use.... (-1, Flamebait)

This comment was hidden based on your threshold setting.

### Re:I use.... (1)

This comment was hidden based on your threshold setting.

#### stinerman | more than 8 years ago

What a coincidence!!! I use yours!

### w00t (-1, Offtopic)

This comment was hidden based on your threshold setting.

okay then ...

### I'm sorry. (0)

This comment was hidden based on your threshold setting.

#### Anonymous Coward | more than 8 years ago

But shouldn't a well-maintained server OS be able to stand on its own?

### Re:I'm sorry. (2, Insightful)

This comment was hidden based on your threshold setting.

#### CoolCash | more than 8 years ago

A good security system is to have a multi-layered security system.

### Use a *separate* firewall box. (4, Insightful)

This comment was hidden based on your threshold setting.

#### Richard Steiner | more than 8 years ago

That way, platform compatibility is a nonissue.

I use a dedicated PPro box running Coyote Linux myself, but there are far more robust solutions out there...

### Hardware or Software? (2, Insightful)

This comment was hidden based on your threshold setting.

#### glrotate | more than 8 years ago

I'd say keep the firewall software off of your Server. Get a decent hardware one from Checkpoint.

### Re:Hardware or Software? (0)

This comment was hidden based on your threshold setting.

#### Anonymous Coward | more than 8 years ago

Checkpoint is not a hardware firewall. It is software that can be run on linux/solaris/win32 or whatever runs on thier nokia platform.

### Re:Hardware or Software? (1)

This comment was hidden based on your threshold setting.

#### ndansmith | more than 8 years ago

I would have to agree with this as well. We have a small network with 5 Win2003 servers and 90 XP workstation. We use the Netscreen 5GT. It can be quite tricky to set-up, but having the firewall seperate from your domain is quite handy. Second choice, get a UNIX box to do the job.

### What's wrong with windows firewall (2, Insightful)

This comment was hidden based on your threshold setting.

#### gooogle | more than 8 years ago

Seriously, why put down $300 when the windows firewall will do? Or get a$50 router and block all uncessary ports to give yourself and additional layer of security.

### Re:What's wrong with windows firewall (2, Insightful)

This comment was hidden based on your threshold setting.

#### Alan | more than 8 years ago

Because in this case, the end result is something easier to deal with that solves the problem. If you want to maintain a "bunch" (however many that is) of installs of a windows firewall, on multiple OSs, then yea, absolutely.

The thinking here is a separate machine will help maintainability (assuming of course that you know linux), ease of upgrades (one system vs a "bunch"). Of course, in this case a little router box would work just fine as well. The only thing with the router boxes is the ones sold to joe average have a very unconfigurable firewall (in my own experience with linksys and d-link systems) where as the original poster might want some extra control (ie: outbound filtering) of his windows systems.

### Re:What's wrong with windows firewall (0)

This comment was hidden based on your threshold setting.

Idiot

### Is this a joke? (5, Funny)

This comment was hidden based on your threshold setting.

#### AEton | more than 8 years ago

You keep getting hit by zombie machines?

Liberal Arts zombies? Are you sure they're not dogs?

(And, as always, the best answer to your question may come from Google. Linux.com | A Linux firewall primer.)

### Re:Is this a joke? (0)

This comment was hidden based on your threshold setting.

#### Anonymous Coward | more than 8 years ago

Dunno, but flamethrowers usually works against zombies.

### Re:Is this a joke? (1)

This comment was hidden based on your threshold setting.

#### dabigpaybackski | more than 8 years ago

Don't forget boomsticks.

### iptables (2, Insightful)

This comment was hidden based on your threshold setting.

### Two Words... (3, Informative)

This comment was hidden based on your threshold setting.

### Re:Two Words... (1)

This comment was hidden based on your threshold setting.

#### mx.2000 | more than 8 years ago

Or even easier to install: m0n0wall

### BSD rulez! (0)

This comment was hidden based on your threshold setting.

#### Anonymous Coward | more than 8 years ago

a *BSD box. preferably NetBSD.

### Sounds to me like.... (1)

This comment was hidden based on your threshold setting.

#### Mercury2k | more than 8 years ago

"...we keep getting hit by zombie machines taken over in the Education Department..."

Sounds like they are practicing getting "sch0013d"

### Win2k3 SP1 Firewall (2, Informative)

This comment was hidden based on your threshold setting.

#### chota | more than 8 years ago

The firewall bundled with the service pack upgrade to Server 2003 isn't too bad, but it only does incoming connections. You can exempt ports or executables.

Also, it's free.*

*Well, you know what I mean.

### Depends (1)

This comment was hidden based on your threshold setting.

#### brokenin2 | more than 8 years ago

Linux: iptables (built in)

Windows: Avoid windows. If unavoidable, then zone alarm.

### Isolate and hardware firewall (1)

This comment was hidden based on your threshold setting.

#### strredwolf | more than 8 years ago

Isolate your network, and secure it using a Linux-based firewall. Hopefully you have 1:1 mapping, so you won't need to NAT the resulting connection. Ether way, connections comming in one Ethernet port will hit the Linux box, but keep all outgoing traffic from the isolated network running safe.

### ummmmm (1)

This comment was hidden based on your threshold setting.

#### matth | more than 8 years ago

Why not try a hardware solution? perhaps a Cisco PIX? Worse case use monowall.. it is free and runs linux... put all the machines BEHIND a firewall.. don't run firewalls on each machine.. additionally an unpatched windows machines should be able to SAFELY be on the net.. if it isn't you aren't doing your job of securing it correctly... get that pink slip ready.

### Re:ummmmm (1)

This comment was hidden based on your threshold setting.

#### kayen_telva | more than 8 years ago

m0n0wall does not in fact "run" linux
it is based on freebsd, a better choice for a firewall than linux

### Injoy (1)

This comment was hidden based on your threshold setting.

#### RetroGeek | more than 8 years ago

I have used Injoy on both OS/2 and Windows. It works great and has a good interface for setup. There is a Linux version.

Disclaimer: I do NOT work for, nor am I affiliated with them.

### You ain't (1)

This comment was hidden based on your threshold setting.

#### TheHawke | more than 8 years ago

This is where IT admins get into the deep dip by investing in top-notch gear and THEN, buying up cheap firewall software, expecting it to do the duty of protecting his pride and joy.

To protect the equipment, you will simply tell them to go hardware firewalls, preferably Cisco PIX 500s will do the trick. But be prepared to pay for the name, but the protection that this unit will provide will be worth every penny.

### Re:You ain't (1)

This comment was hidden based on your threshold setting.

#### mindstrm | more than 8 years ago

WHat sort of protection will this PIX 500 give above the usual stateful packet filtering?

### Wrong Approach (5, Informative)

This comment was hidden based on your threshold setting.

#### markom | more than 8 years ago

You are approaching the problem from a wrong direction.

There are different types of firewalls and they can be divided into these types using different criteria. However, I will use the most simple one. There are host-based and network-based firewalls. Host-based firewalls, are not very cost-effective (or even effective at all) for protecting large, medium or even small server "farms". They work fine on single-server or home machines.

The proper way to protect server farms in campus is to have secure network. Firewalls are like city walls. They offer protection, but if breached, you're doomed. Secure network consists of firewalls, segmented network (separate VLAN's, switching blocks, etc.). Excellent reference for secure network design is Cisco's SAFE Blueprint for Enterprise Networks. I would recommend reading it, even though you're not using Cisco gear.

Marko.

### Re:Wrong Approach (1)

This comment was hidden based on your threshold setting.

#### ettlz | more than 8 years ago

You are approaching the problem from a wrong direction.
Surely the bigger problem here is the zombied boxes! Maybe their security policies should be tightened first, and the servers shored up accordingly with a physically separate router.

### say 'network diaper', not 'firewall' (1)

This comment was hidden based on your threshold setting.

#### puzzled | more than 8 years ago

Firewall sounds all dignified and techie, when you're really saying "TCP stack incontinence appliance'. Use the short form of this, 'network diaper', in coversations with management, and perhaps you'll get to use a real operating system.

If you canna go bare, why you even gonna go there?

### Re:say 'network diaper', not 'firewall' (1)

This comment was hidden based on your threshold setting.

#### puzzled | more than 8 years ago

ipf -Fa -f /etc/ipf.rules
pfctl -Fa -f /etc/pf.conf

These are examples of what one would do on a 'real' computer. This place, it has a goodly portion of Linux heretics, and I suggest you pay them no mind ...

### Hardware solutions are good (0)

This comment was hidden based on your threshold setting.

#### Anonymous Coward | more than 8 years ago

Many years ago I worked as a Microsoft-assisted Windows NT admin in a mostly-Windows datacentre. We were undertrained, young, and cheap. The strategy the management used for security was to occasionally pay a top-notch cisco guy to come in and beef up the firewall rules protecting each machine. It was an effective defence at the time, but practice may have moved on.

### Linux (1)

This comment was hidden based on your threshold setting.

#### Evro | more than 8 years ago

The Linux kernel can be compiled with stateful packet filtering. It gives complete (or near-complete) control over almost all aspects of firewalling, including limiting based on src/dst port or address, rate limiting, etc. I once built a dedicated firewall using the "bridging firewall" patch which totally owned. The box didn't have its own ip and was transparent to the machines on either side of the network. Was a pain to modify remotely though. :(

I used a $800 1U machine for this task and it was probably overkill. Though to protect company machines, I don't know if you'd want to rely on a$100 solution.

On Linux you want to look into iptables. On BSD I think the packet filtering is called netfilter.

### Firewall (0)

This comment was hidden based on your threshold setting.

#### Anonymous Coward | more than 8 years ago

To protect a windows network system, use Smoothwall. It is a Linux Distro you can get for free and is easy to setup. They also have some really good doc's for support.

### coyote linux (0)

This comment was hidden based on your threshold setting.

#### Anonymous Coward | more than 8 years ago

Since we run all of our servers with VMware, I just use a virtual coyote (www.coyotelinux.com) server as the firewall for each Windoze server.. really great stuff..

### A cheap box (2, Informative)

This comment was hidden based on your threshold setting.

#### necrognome | more than 8 years ago

running OpenBSD and pf. Include another cheap box and CARP if you need redundancy/failover.

### Re:A cheap box (1)

This comment was hidden based on your threshold setting.

#### BlabberMouth | more than 8 years ago

Excellent suggestion. I feel an cheap system running OpenBSD is sufficient for most people out there as long as you can administer it.

### Think outside the box. (1)

This comment was hidden based on your threshold setting.

#### adolfojp | more than 8 years ago

Use diferent security zones protected by dedicated firewalls computers.

### Opensource firewall (1, Interesting)

This comment was hidden based on your threshold setting.

#### Anonymous Coward | more than 8 years ago

Maybe the question we need to ask ourselves is: why isn't there a quality open source firewall implementation for Windows. Since there are a number of shareware and comercial firewalls, it can't be too hard to write. Why hasn't anyone started WinFire.sf.net project and created one. I'm sure it would blast all the crappy commercial ones away in no time while end users would benefit greatly.

Any takers?

### firewall options (0)

This comment was hidden based on your threshold setting.

#### Anonymous Coward | more than 8 years ago

I maintain a bunch of servers (Win 2003/XP Pro)

I'm sorry to hear it.

For

### Smoothwall (1)

This comment was hidden based on your threshold setting.

#### SomeGuyTyping | more than 8 years ago

Find an old box, put two eth cards in and install Smoothwall Express http://www.smoothwall.org/

### Re:Smoothwall (0)

This comment was hidden based on your threshold setting.

#### Anonymous Coward | more than 8 years ago

Or better yet, install IPCop and get the same function without having to potentially deal with a psychotic lunatic "developer."

~~~

### IPCop (0)

This comment was hidden based on your threshold setting.

#### Anonymous Coward | more than 8 years ago

IPCop combined with some modest hardware should take care of business. The DansGuardian add-on, Cop+ should handle your filtering needs as well...

### OpenBSD (0)

This comment was hidden based on your threshold setting.

OpenBSD. Yes, it costs less than $100. It is free. ### iptables, portsentry, and some py scripting. (1) This comment was hidden based on your threshold setting. #### eh2o | more than 8 years ago$0 $100. i also use some assorted python scripts that watch the system logs for common attacks that portsentry does not pick up (e.g., repeated ssh login failures), and then dynamically block those IP / port combos as necessary. ### One word. (1) This comment was hidden based on your threshold setting. #### nolaf | more than 8 years ago OpenBSD ### IPCop (5, Informative) This comment was hidden based on your threshold setting. #### ZosX | more than 8 years ago It's free. Only port forward what ports you absolutely need and keep your servers out in the DMZ. IPcop will easily allow you to seperate your network into zones with multiple nics and will likely only take a 486 or Pentium class machine to keep up with your bandwith. Hey, you asked for cheap. Doesn't get much cheaper than that. You can also keep detailed logs and it also features a good SNORT setup for NIDS. It sets up convieniently with a web browser. There is also Smoothwall. Both are really Linux based software firewalls. The difference is that IPCop is totally free and supports a wide variety of features that you would likely have to pay for in Smoothwall. Updating NIDS signatures automatically comes to mind. I would personally avoid Windows software firewalls like the plague, as they run at escalated priveledges and can potentially put your system at even more risk as they add to the number of possible vulnerabilities, but that is just me. If you can't afford a PIX or something in hardware, FreeBSD and Linux software firewalls are always the best way to go IMHO. Happy hacking! ### Is This A Joke? (1) This comment was hidden based on your threshold setting. #### mpapet | more than 8 years ago BSD! (Boooo! shouts the Linux fans) No, wait, Linux! (Kill the penguin lover! shouts the BSD fans) Uh, well both are good. What was the question again? ### Decent firewall (3, Funny) This comment was hidden based on your threshold setting. #### NotFamous | more than 8 years ago Ceramic wafers with asbestos stuffing... ### IPTables Bridge (1) This comment was hidden based on your threshold setting. #### DosBubba | more than 8 years ago Get a machine with two NICs and connect both as a bridge between your clusters of machines. Install Linux and use this as a guide. Add an additional NIC if you want to be able to login to the box remotely. ### Smoothwall (1) This comment was hidden based on your threshold setting. #### xlr8ed | more than 8 years ago Install it on a older box like a 400-550Mhz machine and it will work very well, nice features also. http://www.smoothwall.org/ ### Kerio works with 2003. (0) This comment was hidden based on your threshold setting. #### Anonymous Coward | more than 8 years ago My wife's box is a 2003 Server (Corporate) and it has Kerio. ### watch guard (1) This comment was hidden based on your threshold setting. #### drewfuss | more than 8 years ago i recomend looking into watchguard. It uses linux. ### firewall ey? (0) This comment was hidden based on your threshold setting. #### Anonymous Coward | more than 8 years ago any firewall will do....just hope you dont have a pinto because they explode from the back! ### Another box! (1) This comment was hidden based on your threshold setting. #### Noksagt | more than 8 years ago Depending on the box, I like putting a cheap router (those intended for DSL/Cable are fine for me since my backwards-university is still on 10Mbps & is talking about eventually going to 100MBps) or another box in front of the system. If it is another box, it is nice to make it a linux or BSD box which is configured to ONLY be a firewall. I like OpenBSD. You can use a LiveCD or install it outright. Lots of tutorials out there. If you want only a software firewall for windows, I like Sygate. It does everything I want EXCEPT support fast-user switching. ### Linux: Firestarter or firehol (2) This comment was hidden based on your threshold setting. #### RedPhoenix | more than 8 years ago For the linux machines, have a peek at firestarter (www.fs-security.com). It's easy to configure, has a nice GUI, and provides a reasonably simple method of configuring IPTables. If your requirements are a little more complex (eg: DMZs, VPNs, etc.), you might want to have a peek at firehol instead. Text-based configuration, but greatly simplifies the process of wrangling with iptables. I tend to recommend zonealarm for windows for most people, but that's more out of apathy (ie: I haven't reviewed the options lately) than anything else. Red. ### Windows servers? (1) This comment was hidden based on your threshold setting. #### ArielMT | more than 8 years ago I recommend suspending a voodoo doll above each server. In my experience, UFO-catchers like Skuld (Oh My Goddess!), Tux the Penguin (or Cozy Heart Penguin the Care Bear Cousin, in the absence of a genuine Tux), and/or the Mozilla dragon (or Firefoxy). Take as much care of the voodoo dolls as you do the servers, and hope no one tries taking over the servers by way of the Web browser client, media player client, instant messenger client, or any of the host of other clients installed on and unremovable from the servers. :) ### hardware is the way forward... (2, Informative) This comment was hidden based on your threshold setting. #### Arimus | more than 8 years ago I'd suggest ditching a software firewall and investing in a proper hardware firewall such as Checkpoint FW1 and put all the servers behind that firewall. Put another firewall ideally of a different type (break one you've still got another to break) and use that to isolate all the departmental computers... Ensure the policies are locked down tight and that any changes are approved by someone who knows what they're about before being implemented. ### Adaptive Packet Destructive Filter (1) This comment was hidden based on your threshold setting. #### Wanker | more than 8 years ago This is by far the best firewall available: http://roseweb.de/caro/pages/security/v-one/cut-or ig.htm It costs well under$100, and unlike every other firewall it is guaranteed 100% secure.

Best of all, it can be applied to those pesky zombie systems in addition to your own servers for the ultimate in protection.

### A separate firewall (1)

This comment was hidden based on your threshold setting.

### Tiny Firewall (1)

This comment was hidden based on your threshold setting.

#### kuzb | more than 8 years ago

I'd go with this one, it's a little more than a firewall in that it can enforce rules on the filesystem as well (ex: foo.exe is only allowed to write to c:\text). It's highly configurable, and well worth a look.

### Windows Server 2003 SERVICE PACK 1 has a firewall (5, Informative)

This comment was hidden based on your threshold setting.

#### DJStealth | more than 8 years ago

Download W2K3 Service Pack 1 from Microsoft, they have the same firewall as XPSP2 plus some bonus features.

There's a "Security Configuration Wizard" that will help you config the firewall and services at a more advanced level than in XPSP2

### Securing Windows (2, Insightful)

This comment was hidden based on your threshold setting.

#### pestilence669 | more than 8 years ago

During my career in network security, there has never been a software based firewall I couldn't compromise. I had the unfortunate task of reverse engineering the competition (firewalls).

There are so many problems in the basic network stack (in Windows) that a hardware firewall is your only realistic alternative. With hardware, you only have to worry about your open ports.

Anything basic will do. Investing in a Cisco PIX is usually a waste of money. I've tunneled a remote shell through port 80 using IIS, making an $80k PIX worthless. Exploits are generally simple, so fragment reconstruction is unnecessary. With Windows, the mantra "good enough" rules. All of the packet filtering in the world won't save your server. The best thing you can do is attach a$50 LinkSys firewall and be done with it. Keep a copy of Ghost handy for when it gets compromised.
Slashdot Account

Need an Account?

Don't worry, we never post anything without your permission.

# Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

• b
• i
• p
• br
• a
• ol
• ul
• li
• dl
• dt
• dd
• em
• strong
• tt
• blockquote
• div
• quote
• ecode

### "ecode" can be used for code snippets, for example:

<ecode>	while(1) { do_something(); } </ecode>
Create a Slashdot Account