lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: irwanhadi at phxby.com (Irwan Hadi)
Subject: Firewall solution for Windows 2003 Server

On Sat, Apr 24, 2004 at 09:48:01PM +0100, Lee wrote:

> Are you suggesting that the win2003 server will be the point of contact for
> the Internet? is this a wise choice or just a product of your setup?
> 
> I dont like application layer firewalls, they fill me with dread, yes the
> displays are nice , but that doesnt mean it cant be acheived elsewhere.
> 
> I would prefer to point you in the direction of Smoothwall, and IPCOP (both
> are free) they run on small Pentium boxes , seperate to the win2003 server
> and offer excellent protection and performance.  You can even just setup a
> nice FreeBSD box with simple ipchains packet filtering if needs be, but
> those two suggested would be a nice set in the right direction.
> 
> Any ideas on amounts you have to spend? that obviously sways a decision
> somewhat, but I still like to stay away from desktop application layer
> firewalls.

It depends on your situation. If you have a dedicated data center just for
the servers only, with its own router spiggot and its own subnet, yes,
smoothwall will work, PIX firewall will work, Netscreen will work, all other
firewall appliances will work just fine.
But if you don't have that kind of luxury, for example, you are on a campus
network, where everything is open, and sometimes you (as a department) does
not have its own router spiggot, or even its own subnet, then you are
dependent on a host based firewall solution.

Yes, you can still use firewall appliances, and setup a NAT, but if you only
maintains several servers, I don't think it worth the effort of setuping a
NAT, except making things much more complicated.
Besides, all of your clients are outside of the NAT anyway, so you need to
make exception for every of your client then.


Powered by blists - more mailing lists