×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What is the Best Firewall for Servers?

Cliff posted more than 8 years ago | from the hot-protection-for-heavy-iron dept.

Networking 673

Sushant Bhatia asks: "I maintain a bunch of servers (Win 2003/XP Pro) at our labs in the university. Of late, the number of attacks on the computers has been more noticeable. The university provides firewall software (Kerio) but that doesn't work with Win 2003 (works with XP). And so we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts :-). So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

673 comments

OpenBSD, of course! (5, Informative)

Anonymous Coward | more than 8 years ago | (#12925473)

Ummm, OpenBSD of course! www.openbsd.org

Re:OpenBSD, of course! (2, Informative)

Krach42 (227798) | more than 8 years ago | (#12925660)

I have to agree. I use OpenBSD for my firewall, then I poke holes through to my Linux server for HTTP, and SSH.

This avoids the situation that I had previously when someone hacked into my machine. They hacked into my OpenBSD firewall, then opened it all up, and marked my /etc/pf.conf system-immutable (so I had to reboot into single user mode to fix it.)

This way, if they hack my Linux server, they'd still have to hack into my OpenBSD box in order to open up the ports. I have plans to lock that up tight on both ends, so you need physical access to access it.

At that point, I'm as secure as I can get from across-the-world hackers.

at the risk of getting flamed into submission... (4, Insightful)

gik (256327) | more than 8 years ago | (#12925474)

a linux box.

Re:at the risk of getting flamed into submission.. (3, Informative)

Nos. (179609) | more than 8 years ago | (#12925571)

I don't think you'll get flamed too bad. Its what I was going to suggest. I run iptables as I'm sure many others here do. Its simple, there's lots of open source tools to make management of those rules easier, and a basic install of Linux will run on some pretty lightweight machines. Heck, there's always the distros on a CD to make things even more secure, and by putting the rules on a floppy set to read_only makes for relatively simple updates to the rules if/when needed.

Re:at the risk of getting flamed into submission.. (1)

Hal_Porter (817932) | more than 8 years ago | (#12925586)

You've still got to buy the box.

I use the hardware firewall in my router and the Windows Firewall on my home machine. Either one should be ok actually.

Re:at the risk of getting flamed into submission.. (5, Funny)

Ooblek (544753) | more than 8 years ago | (#12925658)

When its liberal arts machines getting infected, I've found the BEST firewall to be a pair of wire cutters. NOTHING gets through after the skilled use of these babies.

Re:at the risk of getting flamed into submission.. (2, Insightful)

jhylkema (545853) | more than 8 years ago | (#12925670)

You've still got to buy the box.

A $25 surplus P-II should suffice. I've been running an OpenBSD/PF firewall at home for ages now and the system load has never gone above 0%.

Re:at the risk of getting flamed into submission.. (-1, Flamebait)

Hightest (705105) | more than 8 years ago | (#12925632)

Can you give me the name of your University, so I can recommend people not attend a University that uses Windows 2003 or XP server in there labs.

now that is funny (0)

Anonymous Coward | more than 8 years ago | (#12925635)

Solaris 10 :)

Smoothwall (4, Informative)

Anonymous Coward | more than 8 years ago | (#12925479)

Re:Smoothwall (1)

m0topilot (724010) | more than 8 years ago | (#12925565)

I second that... Smoothwall is very good especially when you can recycle old computers and its cheap! There are also smoothwall hacks out there that help you extend it.

Re:Smoothwall (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#12925605)

Don't forget that the developer is a prick.

Re:Smoothwall (0)

Anonymous Coward | more than 8 years ago | (#12925650)

mod parent up

w00t (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#12925481)

okay then ...

I'm sorry. (0)

Anonymous Coward | more than 8 years ago | (#12925488)

But shouldn't a well-maintained server OS be able to stand on its own?

Use a *separate* firewall box. (4, Insightful)

Richard Steiner (1585) | more than 8 years ago | (#12925489)

That way, platform compatibility is a nonissue.

I use a dedicated PPro box running Coyote Linux myself, but there are far more robust solutions out there...

Hardware or Software? (2, Insightful)

glrotate (300695) | more than 8 years ago | (#12925492)

I'd say keep the firewall software off of your Server. Get a decent hardware one from Checkpoint.

Re:Hardware or Software? (0)

Anonymous Coward | more than 8 years ago | (#12925558)

Checkpoint is not a hardware firewall. It is software that can be run on linux/solaris/win32 or whatever runs on thier nokia platform.

Re:Hardware or Software? (1)

ndansmith (582590) | more than 8 years ago | (#12925570)

I would have to agree with this as well. We have a small network with 5 Win2003 servers and 90 XP workstation. We use the Netscreen 5GT. It can be quite tricky to set-up, but having the firewall seperate from your domain is quite handy. Second choice, get a UNIX box to do the job.

What's wrong with windows firewall (2, Insightful)

gooogle (643307) | more than 8 years ago | (#12925493)

Seriously, why put down $300 when the windows firewall will do?

Or get a $50 router and block all uncessary ports to give yourself and additional layer of security.

Re:What's wrong with windows firewall (2, Insightful)

Alan (347) | more than 8 years ago | (#12925687)

Because in this case, the end result is something easier to deal with that solves the problem. If you want to maintain a "bunch" (however many that is) of installs of a windows firewall, on multiple OSs, then yea, absolutely.

The thinking here is a separate machine will help maintainability (assuming of course that you know linux), ease of upgrades (one system vs a "bunch"). Of course, in this case a little router box would work just fine as well. The only thing with the router boxes is the ones sold to joe average have a very unconfigurable firewall (in my own experience with linksys and d-link systems) where as the original poster might want some extra control (ie: outbound filtering) of his windows systems.

Re:What's wrong with windows firewall (0)

Anonymous Coward | more than 8 years ago | (#12925697)

Idiot

Is this a joke? (5, Funny)

AEton (654737) | more than 8 years ago | (#12925495)

You keep getting hit by zombie machines?

Liberal Arts zombies? Are you sure they're not dogs [slashdot.org]?

(And, as always, the best answer to your question may come from Google. Linux.com | A Linux firewall primer [linux.com].)

iptables (2, Insightful)

Heidistein (593051) | more than 8 years ago | (#12925496)

$subj, the only true firewall :)

Re:iptables (1, Funny)

Anonymous Coward | more than 8 years ago | (#12925561)

agreed. and if your not command line oriented, use the webmin interface to create your rules.

slightly off topic but does anyone else have trouble reading those annoying "confirmation your not a script images"? The one I am looking at right now is nearly impossible to read.

OT: Captchas (5, Funny)

interweb (895527) | more than 8 years ago | (#12925651)

slightly off topic but does anyone else have trouble reading those annoying "confirmation your not a script images"? The one I am looking at right now is nearly impossible to read.

Are you sure you are human?

Security (2, Funny)

aardwolf64 (160070) | more than 8 years ago | (#12925498)

I've found that for 99% security, the best solution is to unplug the ethernet cable on my server and just use it locally (kind of defeats the point, huh?)

The missing 1% is for the ninja squirrels ... stupid squirrels...

Firewall Solutions (0)

Anonymous Coward | more than 8 years ago | (#12925499)

You might try filching a used/surplused office/enduser box, throwing in a second NIC card, loading up Linux and using the beast as a firewall router...

Commercial HW, free SW (2, Informative)

ltning (143862) | more than 8 years ago | (#12925500)

We use FreeBSD with IPF, IPFW and some home-brewn tools in our main hosting centre. We have chosen name-brand hardware and free software - already having in-depth knowledge in-house, we had no need to buy a complete black-box solution.

Of course - investing in "fresh" knowledge on FreeBSD or whichever other platform you wish to roll your own firewall/ids solution on top of - is going to be expensive. Thus this solution might not work for all...

OpenBSD (1, Informative)

Anonymous Coward | more than 8 years ago | (#12925503)

Use OpenBSD for your firewall. It has an integrated Packet Filter that works better then most comercial products. The OS itself is secure by default, and it's free! Can't beat that!

A cheap linux firewall (4, Informative)

Suicyco (88284) | more than 8 years ago | (#12925511)

Just use iptables on a cheap old pentium or something. Two network cards, one inside and one outside. Even a modest Pentium or Pentium II could keep up with good amounts of traffic.

100% solution (1, Funny)

Anonymous Coward | more than 8 years ago | (#12925516)

Wire cutters. $3.95, Radio Shack. 100% protection against any network based attack.

BSD rulez! (0)

Anonymous Coward | more than 8 years ago | (#12925522)

a *BSD box. preferably NetBSD.

Sounds to me like.... (1)

Mercury2k (133466) | more than 8 years ago | (#12925524)

"...we keep getting hit by zombie machines taken over in the Education Department..."

Sounds like they are practicing getting "sch0013d"

Win2k3 SP1 Firewall (2, Informative)

chota (577760) | more than 8 years ago | (#12925528)

The firewall bundled with the service pack upgrade to Server 2003 isn't too bad, but it only does incoming connections. You can exempt ports or executables.

Also, it's free.*

*Well, you know what I mean.

Does it cost less than US$100? (4, Insightful)

dancedance (600701) | more than 8 years ago | (#12925529)

Does it cost less than US$100? You can't be serious. Securing your machines is only worth $100? Is that how much it will cost to fix them once they are cracked? Give me a break. If you are serious about security you can invest more than $100.

Re:Does it cost less than US$100? (1)

Uber Banker (655221) | more than 8 years ago | (#12925669)

If you are serious about security you can invest more than $100.

While advisable to get a more expensive (read built and priced for the task), a PII box and cables can be picked up fot $70 on eBay and, with a minimal Linux firewall install (say, 1 hour to set up @ $30/hour) does cost $100/hour. Of course this assumes the tech expertise exists in the first place, which seems not to be the case in this 'Ask Slashdot'.

a linux box set up as a hw firewall (1)

winkydink (650484) | more than 8 years ago | (#12925532)

maybe more than $100, maybe not. Depends on whether or not you have a free machine. Doesn't have to be fast or have a lot of memory.

Isolate and hardware firewall (1)

strredwolf (532) | more than 8 years ago | (#12925535)

Isolate your network, and secure it using a Linux-based firewall. Hopefully you have 1:1 mapping, so you won't need to NAT the resulting connection. Ether way, connections comming in one Ethernet port will hit the Linux box, but keep all outgoing traffic from the isolated network running safe.

ummmmm (1)

matth (22742) | more than 8 years ago | (#12925537)

Why not try a hardware solution? perhaps a Cisco PIX? Worse case use monowall.. it is free and runs linux... put all the machines BEHIND a firewall.. don't run firewalls on each machine.. additionally an unpatched windows machines should be able to SAFELY be on the net.. if it isn't you aren't doing your job of securing it correctly... get that pink slip ready.

Injoy (1)

RetroGeek (206522) | more than 8 years ago | (#12925538)

I have used Injoy [www.fx.dk] on both OS/2 and Windows. It works great and has a good interface for setup. There is a Linux version.

Disclaimer: I do NOT work for, nor am I affiliated with them.

You ain't (1)

TheHawke (237817) | more than 8 years ago | (#12925539)

This is where IT admins get into the deep dip by investing in top-notch gear and THEN, buying up cheap firewall software, expecting it to do the duty of protecting his pride and joy.

To protect the equipment, you will simply tell them to go hardware firewalls, preferably Cisco PIX 500s will do the trick. But be prepared to pay for the name, but the protection that this unit will provide will be worth every penny.

Wrong Approach (5, Informative)

markom (220743) | more than 8 years ago | (#12925544)

You are approaching the problem from a wrong direction.

There are different types of firewalls and they can be divided into these types using different criteria. However, I will use the most simple one. There are host-based and network-based firewalls. Host-based firewalls, are not very cost-effective (or even effective at all) for protecting large, medium or even small server "farms". They work fine on single-server or home machines.

The proper way to protect server farms in campus is to have secure network. Firewalls are like city walls. They offer protection, but if breached, you're doomed. Secure network consists of firewalls, segmented network (separate VLAN's, switching blocks, etc.). Excellent reference for secure network design is Cisco's SAFE Blueprint for Enterprise Networks. I would recommend reading it, even though you're not using Cisco gear.

Marko.

Re:Wrong Approach (1)

ettlz (639203) | more than 8 years ago | (#12925664)

You are approaching the problem from a wrong direction.
Surely the bigger problem here is the zombied boxes! Maybe their security policies should be tightened first, and the servers shored up accordingly with a physically separate router.

say 'network diaper', not 'firewall' (1)

puzzled (12525) | more than 8 years ago | (#12925545)



Firewall sounds all dignified and techie, when you're really saying "TCP stack incontinence appliance'. Use the short form of this, 'network diaper', in coversations with management, and perhaps you'll get to use a real operating system.

If you canna go bare, why you even gonna go there?

Re:say 'network diaper', not 'firewall' (1)

puzzled (12525) | more than 8 years ago | (#12925599)



ipf -Fa -f /etc/ipf.rules
pfctl -Fa -f /etc/pf.conf

These are examples of what one would do on a 'real' computer. This place, it has a goodly portion of Linux heretics, and I suggest you pay them no mind ...

Hardware solutions are good (0)

Anonymous Coward | more than 8 years ago | (#12925547)

Many years ago I worked as a Microsoft-assisted Windows NT admin in a mostly-Windows datacentre. We were undertrained, young, and cheap. The strategy the management used for security was to occasionally pay a top-notch cisco guy to come in and beef up the firewall rules protecting each machine. It was an effective defence at the time, but practice may have moved on.

Linux (1)

Evro (18923) | more than 8 years ago | (#12925548)

The Linux kernel can be compiled with stateful packet filtering. It gives complete (or near-complete) control over almost all aspects of firewalling, including limiting based on src/dst port or address, rate limiting, etc. I once built a dedicated firewall using the "bridging firewall" patch which totally owned. The box didn't have its own ip and was transparent to the machines on either side of the network. Was a pain to modify remotely though. :(

I used a $800 1U machine for this task and it was probably overkill. Though to protect company machines, I don't know if you'd want to rely on a $100 solution.

On Linux you want to look into iptables. On BSD I think the packet filtering is called netfilter.

Firewall (0)

Anonymous Coward | more than 8 years ago | (#12925549)

To protect a windows network system, use Smoothwall. It is a Linux Distro you can get for free and is easy to setup. They also have some really good doc's for support.

coyote linux (0)

Anonymous Coward | more than 8 years ago | (#12925554)

Since we run all of our servers with VMware, I just use a virtual coyote (www.coyotelinux.com) server as the firewall for each Windoze server.. really great stuff..

A cheap box (2, Informative)

necrognome (236545) | more than 8 years ago | (#12925557)

running OpenBSD and pf. Include another cheap box and CARP if you need redundancy/failover.

Re:A cheap box (1)

BlabberMouth (672282) | more than 8 years ago | (#12925649)

Excellent suggestion. I feel an cheap system running OpenBSD is sufficient for most people out there as long as you can administer it.

Opensource firewall (1, Interesting)

Anonymous Coward | more than 8 years ago | (#12925567)

Maybe the question we need to ask ourselves is: why isn't there a quality open source firewall implementation for Windows. Since there are a number of shareware and comercial firewalls, it can't be too hard to write. Why hasn't anyone started WinFire.sf.net project and created one. I'm sure it would blast all the crappy commercial ones away in no time while end users would benefit greatly.

Any takers?

firewall options (0)

Anonymous Coward | more than 8 years ago | (#12925568)

I maintain a bunch of servers (Win 2003/XP Pro)

I'm sorry to hear it.

For

IPCop (0)

Anonymous Coward | more than 8 years ago | (#12925574)

IPCop [ipcop.org] combined with some modest hardware should take care of business. The DansGuardian [dansguardian.org] add-on, Cop+ [sourceforge.net] should handle your filtering needs as well...

OpenBSD (0)

Anonymous Coward | more than 8 years ago | (#12925577)

OpenBSD [openbsd.com]. Yes, it costs less than $100. It is free.

iptables, portsentry, and some py scripting. (1)

eh2o (471262) | more than 8 years ago | (#12925579)

$0 $100.

i also use some assorted python scripts that watch the system logs for common attacks that portsentry does not pick up (e.g., repeated ssh login failures), and then dynamically block those IP / port combos as necessary.

IPCop (5, Informative)

ZosX (517789) | more than 8 years ago | (#12925593)

It's free.

Only port forward what ports you absolutely need and keep your servers out in the DMZ. IPcop will easily allow you to seperate your network into zones with multiple nics and will likely only take a 486 or Pentium class machine to keep up with your bandwith. Hey, you asked for cheap. Doesn't get much cheaper than that.

You can also keep detailed logs and it also features a good SNORT setup for NIDS. It sets up convieniently with a web browser.

There is also Smoothwall. Both are really Linux based software firewalls. The difference is that IPCop is totally free and supports a wide variety of features that you would likely have to pay for in Smoothwall. Updating NIDS signatures automatically comes to mind.

I would personally avoid Windows software firewalls like the plague, as they run at escalated priveledges and can potentially put your system at even more risk as they add to the number of possible vulnerabilities, but that is just me.

If you can't afford a PIX or something in hardware, FreeBSD and Linux software firewalls are always the best way to go IMHO.

Happy hacking!

Is This A Joke? (1)

mpapet (761907) | more than 8 years ago | (#12925596)

BSD! (Boooo! shouts the Linux fans)

No, wait,

Linux! (Kill the penguin lover! shouts the BSD fans)

Uh, well both are good. What was the question again?

IPTables Bridge (1)

DosBubba (766897) | more than 8 years ago | (#12925606)

Get a machine with two NICs and connect both as a bridge between your clusters of machines. Install Linux and use this [tldp.org] as a guide. Add an additional NIC if you want to be able to login to the box remotely.

Kerio works with 2003. (0)

Anonymous Coward | more than 8 years ago | (#12925623)

My wife's box is a 2003 Server (Corporate) and it has Kerio.

firewall ey? (0)

Anonymous Coward | more than 8 years ago | (#12925626)

any firewall will do....just hope you dont have a pinto because they explode from the back!

Another box! (1)

Noksagt (69097) | more than 8 years ago | (#12925631)

Depending on the box, I like putting a cheap router (those intended for DSL/Cable are fine for me since my backwards-university is still on 10Mbps & is talking about eventually going to 100MBps) or another box in front of the system. If it is another box, it is nice to make it a linux or BSD box which is configured to ONLY be a firewall. I like OpenBSD. You can use a LiveCD [jtan.com] or install it outright. Lots of tutorials out there.

If you want only a software firewall for windows, I like Sygate. It does everything I want EXCEPT support fast-user switching.

Linux: Firestarter or firehol (2)

RedPhoenix (124662) | more than 8 years ago | (#12925642)

For the linux machines, have a peek at firestarter (www.fs-security.com). It's easy to configure, has a nice GUI, and provides a reasonably simple method of configuring IPTables.

If your requirements are a little more complex (eg: DMZs, VPNs, etc.), you might want to have a peek at firehol instead. Text-based configuration, but greatly simplifies the process of wrangling with iptables.

I tend to recommend zonealarm for windows for most people, but that's more out of apathy (ie: I haven't reviewed the options lately) than anything else.

Red.

Windows servers? (1)

ArielMT (757715) | more than 8 years ago | (#12925643)

I recommend suspending a voodoo doll above each server. In my experience, UFO-catchers like Skuld (Oh My Goddess!), Tux the Penguin (or Cozy Heart Penguin the Care Bear Cousin, in the absence of a genuine Tux), and/or the Mozilla dragon (or Firefoxy). Take as much care of the voodoo dolls as you do the servers, and hope no one tries taking over the servers by way of the Web browser client, media player client, instant messenger client, or any of the host of other clients installed on and unremovable from the servers. :)

hardware is the way forward... (2, Informative)

Arimus (198136) | more than 8 years ago | (#12925646)

I'd suggest ditching a software firewall and investing in a proper hardware firewall such as Checkpoint FW1 and put all the servers behind that firewall.

Put another firewall ideally of a different type (break one you've still got another to break) and use that to isolate all the departmental computers...

Ensure the policies are locked down tight and that any changes are approved by someone who knows what they're about before being implemented.

A separate firewall (1)

wowbagger (69688) | more than 8 years ago | (#12925656)

Depending upon the workload the server sees, you could get away with something as simple and stupid as a Linksys/DLink/... firewall configured to port forward the server's ports inward. (cost ca. US$30)

You might also dig up a junk machine and set up the Linux Router project (or a *BSD equivalent) on it.

If the servers are big enough that a cheap hardware firewall won't do, then I'd say they are big enough to need a real router in front of them.

Kerio Firewall (2, Informative)

Dr. Technical (862071) | more than 8 years ago | (#12925659)

Kerio *does* make an excellent firewall product for Windows servers (Kerio Server Firewall). It is pricey, however, and for the same or less money you could install a Smoothwall box.

Call Scooby-doo to get the zombies! (0)

Anonymous Coward | more than 8 years ago | (#12925667)

Call Scooby-doo to get the zombies!

ipsec and dedicated machines (1)

kicken18 (839808) | more than 8 years ago | (#12925672)

tbh I dont like people who give answers of "get Linux" when he clearly is using windows so address the problem at hand since upgrading to linux is not exactly simple and thats if you even want it, but anyway. For my servers i used IPSEC, i am not sure how secure it is but it seams to work for me and i have had no problems. Needed to get used to it as at first i didn't know what to do, but was easy after that. This and using a router to allow only the ports you want would be a fairly good start. There are then software and hardwear firewalls, you could build a hardware firewall out of some old parts you have lying around and some free software of the internet to monitor you in/out goings

A firewall will not protect a weak system. (0)

Anonymous Coward | more than 8 years ago | (#12925686)

Unless you are planning to use a firewall that is capable of detecting malicious traffic, it will not protect a weak system. For example: If you are using a vulnerable version of IIS a FW will do little to nothing to protect you.

Patch and properly harden your system. There are plenty of sites out there to assist with both of these tasks.

I am not aware of any server firewalls that are capable of what you are looking for under $100 dollars, with support.

Tiny Firewall (1)

kuzb (724081) | more than 8 years ago | (#12925689)

I'd go with this one, it's a little more than a firewall in that it can enforce rules on the filesystem as well (ex: foo.exe is only allowed to write to c:\text). It's highly configurable, and well worth a look [tinysoftware.com].

Windows Server 2003 SERVICE PACK 1 has a firewall (5, Informative)

DJStealth (103231) | more than 8 years ago | (#12925693)

Download W2K3 Service Pack 1 from Microsoft, they have the same firewall as XPSP2 plus some bonus features.

There's a "Security Configuration Wizard" that will help you config the firewall and services at a more advanced level than in XPSP2

Securing Windows (2, Insightful)

pestilence669 (823950) | more than 8 years ago | (#12925704)

During my career in network security, there has never been a software based firewall I couldn't compromise. I had the unfortunate task of reverse engineering the competition (firewalls).

There are so many problems in the basic network stack (in Windows) that a hardware firewall is your only realistic alternative. With hardware, you only have to worry about your open ports.

Anything basic will do. Investing in a Cisco PIX is usually a waste of money. I've tunneled a remote shell through port 80 using IIS, making an $80k PIX worthless. Exploits are generally simple, so fragment reconstruction is unnecessary.

With Windows, the mantra "good enough" rules. All of the packet filtering in the world won't save your server. The best thing you can do is attach a $50 LinkSys firewall and be done with it. Keep a copy of Ghost handy for when it gets compromised.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...