4

I'm looking for recommendations on firewalls for a dedicated server that will be hosting a few websites of average traffic (5000 uniques monthly). the hosting company has port and full hardware firewalls. There's also the option of installing software firewalls. What is the level of protection of 'port' protection mentioned here: http://www.xlhost.com/firewall.php? Is this adequate? Any recommendations (Windows Server OS)?

FiveTools
  • 197
  • 6

5 Answers5

3

Well if this is Windows Server 2008, it actually has a fairly capable software firewall.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • Yup, the built-in windows firewall is really good. – Espennilsen Feb 20 '10 at 17:24
  • 1
    Well, I think *really good* is a stretch. I'd still much prefer pf or iptables, but in this situation, that's obviously not an option. – EEAA Feb 20 '10 at 18:47
  • I think *any good* is a stretch. Theres many features it lacks, and in a not so distant past ksecdd was vulnerable to a use-after-free condition stemming from how the firewall processed malformed ICMP packets - Among other problems. It can't be trusted. – zetavolt Feb 23 '10 at 16:05
3

It looks like a port on a FireBox would offer decent protection. Do you want application level protection? The FireBox probably won't be able to discern different application traffic on the same TCP/IP port. Meaning, if you had a software firewall, you could configure it just a bit more granular to only allow a certain executable to have access to port 80 (for example) whereas with a port on a firewall, you could only tweak port 80 to either allow or deny traffic without respect to what executable is initiating or responding to the traffic on your server.

As ErikA pointed out, Windows Server's built-in firewall would seem to be sufficient (as long as it was Server 2008 or above). Some alternatives that are noteworthy are:

With me not knowing exactly what your desires are, you'll have to do some digging to compare the products with the internal Windows firewall and see exactly what benefits are of significance to you.

Wesley
  • 32,690
  • 9
  • 82
  • 117
2

Unfortunately, Getting Firewalls right is like getting encryption right - A lot of people think they can do it right, for that matter a lot of experts think they can get it right. Getting it right is not so easy.

If the FD mailing list is any guide, The firebox is vulnerable to Syn-Fin ambiguity. Best evidenced by this snippet of code.

if(tcp->syn && !(tcp->ack || tcp->rst))
     tcpsyn=1;

If it isn't immediately obvious, A piece of processing code like this allows you to pass packets through the firewall as long as you set the Finish with the Synchronize bits thus effectively defeating port-filtering.

In short, If security is a concern for you, I'd stick with the tried and true - ASA/PIX. Failing that, BlackIce firewall is very well done, as well as pf/iptables of course.

zetavolt
  • 1,352
  • 1
  • 8
  • 12
0

You could also look at pfsense: http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43

Malnizzle
  • 1,441
  • 2
  • 16
  • 30
0

Assuming its actually a dedicated server and not a VPS, you could install a bare-bones linux distro on the metal (debian-netinst, etc), run Shorewall and then run the windows machine under Xen, KVM or a VirtualBox headless instance.

Aaron Tate
  • 1,222
  • 7
  • 9