Sign in with
Sign up | Sign in
Your question

Is software firewall nessasery if hardware is available?

Last response: in Windows XP
Share
Anonymous
February 14, 2005 6:31:28 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HI! I have being having allot of trouble getting the personal firewall of
(Norton Internet Security) to work with IIS server.

with the PF turned off all is ok. its fine through my router and with my
shared DLS connection but once its on both IE and my FTP client just
timesout.

I have d-link router with a built in firewall. is this good enough? I am
just going through all this for an overkill?

I have the virus scanner/adware scanner/spyware scanner/ and all is fine
right now.

what do you guys think?
Anonymous
February 14, 2005 11:37:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Adding to both responses, defense in depth is critical and NO your DLink
firewall is not enough.

I suggest a true appliance firewall. Depending on your budget and number of
users, you can get away with a SMB firewall like a Netscreen, Cisco PIX, or
Nokia Firewall for your network defense.

I suggest a host firewall on your IIS server.

And I suggest URLScan to proactively defend your IIS server.

There are no shortcuts to security, especially on an Internet-facing Web
server.

"paul dallaire" wrote:

> HI! I have being having allot of trouble getting the personal firewall of
> (Norton Internet Security) to work with IIS server.
>
> with the PF turned off all is ok. its fine through my router and with my
> shared DLS connection but once its on both IE and my FTP client just
> timesout.
>
> I have d-link router with a built in firewall. is this good enough? I am
> just going through all this for an overkill?
>
> I have the virus scanner/adware scanner/spyware scanner/ and all is fine
> right now.
>
> what do you guys think?
>
>
>
>
Anonymous
February 14, 2005 12:41:22 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Responses below.

> "paul dallaire" wrote:
>
>> HI! thanks for the response. what do you suggest as a host firewall for my
>> IIS server?

It depends if your Web server is in a DMZ (protected network behind a
firewall but isolated from your intranet) or connected to your internal
network.

If it's in a DMZ, the appliance firewall is good enough for starters. This
would be good enough for most networks.

An added layer of host firewall would help on your Web server if there are
other devices in the DMZ. If one of those devices ever got hacked, you know
that the Web server has another firewall to defend attacks from it's
neighboring DMZ servers.

If you go this uber-secure route, Windows 2003 has a built-in firewall that
can block ingress (inbound) attacks. That should do it. Although you could
go nuts and run a CheckPoint or other similar Enterprise-class firewall right
on that system, BUT it's not worth it.


>> What is a URLscan and where can I look for the software?

It has saved a bunch of my client's booties and is an awesome Microsoft FREE
application-- (if only Apache had this software)
http://www.microsoft.com/technet/security/tools/urlscan...
Description of both tools: http://www.securityfocus.com/infocus/1755
http://www.microsoft.com/technet/security/tools/locktoo...


>> What is a SMB?
Small-Medium Business
Related resources
Anonymous
February 14, 2005 2:45:35 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Mon, 14 Feb 2005 03:31:28 -0500, paul dallaire wrote:

> HI! I have being having allot of trouble getting the personal firewall of
> (Norton Internet Security) to work with IIS server.
>
> with the PF turned off all is ok. its fine through my router and with my
> shared DLS connection but once its on both IE and my FTP client just
> timesout.

NIS was not designed to be run on a Server.

> I have d-link router with a built in firewall. is this good enough? I am
> just going through all this for an overkill?

Your D-Link router is probably just a NAT box and not really a firewall.
The router will allow you to pass 80/444/FTP ports through to the server,
but it's not going to do much in the way a firewall would.

> I have the virus scanner/adware scanner/spyware scanner/ and all is fine
> right now.
>
> what do you guys think?

I suspect that you don't have server quality Virus Scanner installed, just
a client virus scanner, you've probably not run the MBSA to determine if
the machine is locked down, probably not disabled services you don't want
people using, and you should have renamed the Administrator account and
forced LARGE NASTY passwords on all accounts on this box.

Look at some of the MS articles on securing a web-server and make sure you
follow their directions or your going to have a compromised machine in
short time.

--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
February 14, 2005 3:09:07 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HI! thanks for the response. what do you suggest as a host firewall for my
IIS server?
What is a URLscan and where can I look for the software?
What is a SMB?

"Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in message
news:0D013D13-3F35-4DA4-ACFD-D7C8F05DE77F@microsoft.com...
> Adding to both responses, defense in depth is critical and NO your DLink
> firewall is not enough.
>
> I suggest a true appliance firewall. Depending on your budget and number
> of
> users, you can get away with a SMB firewall like a Netscreen, Cisco PIX,
> or
> Nokia Firewall for your network defense.
>
> I suggest a host firewall on your IIS server.
>
> And I suggest URLScan to proactively defend your IIS server.
>
> There are no shortcuts to security, especially on an Internet-facing Web
> server.
>
> "paul dallaire" wrote:
>
>> HI! I have being having allot of trouble getting the personal firewall of
>> (Norton Internet Security) to work with IIS server.
>>
>> with the PF turned off all is ok. its fine through my router and with my
>> shared DLS connection but once its on both IE and my FTP client just
>> timesout.
>>
>> I have d-link router with a built in firewall. is this good enough? I am
>> just going through all this for an overkill?
>>
>> I have the virus scanner/adware scanner/spyware scanner/ and all is fine
>> right now.
>>
>> what do you guys think?
>>
>>
>>
>>
Anonymous
February 14, 2005 3:09:08 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Responses below.

> "paul dallaire" wrote:
>
>> HI! thanks for the response. what do you suggest as a host firewall for my
>> IIS server?

It depends if your Web server is in a DMZ (protected network behind a
firewall but isolated from your intranet) or connected to your internal
network.

If it's in a DMZ, the appliance firewall is good enough for starters. This
would be good enough for most networks.

An added layer of host firewall would help on your Web server if there are
other devices in the DMZ. If one of those devices ever got hacked, you know
that the Web server has another firewall to defend attacks from it's
neighboring DMZ servers.

If you go this uber-secure route, Windows 2003 has a built-in firewall that
can block ingress (inbound) attacks. That should do it. Although you could
go nuts and run a CheckPoint or other similar Enterprise-class firewall right
on that system, BUT it's not worth it.


>> What is a URLscan and where can I look for the software?

It has saved a bunch of my client's booties and is an awesome Microsoft FREE
application-- (if only Apache had this software)
http://www.microsoft.com/technet/security/tools/urlscan...
Description of both tools: http://www.securityfocus.com/infocus/1755
http://www.microsoft.com/technet/security/tools/locktoo...


>> What is a SMB?
Small-Medium Business
Anonymous
February 14, 2005 3:11:17 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HI! thanks for the response. Its tell in the docs how to setup a set FTP
software. IF it does not support it then why have the docs on it?

I am running WIn XP Pro Sp2. not server.


"Leythos" <void@nowhere.lan> wrote in message
news:p an.2005.02.14.11.49.45.613147@nowhere.lan...
> On Mon, 14 Feb 2005 03:31:28 -0500, paul dallaire wrote:
>
>> HI! I have being having allot of trouble getting the personal firewall of
>> (Norton Internet Security) to work with IIS server.
>>
>> with the PF turned off all is ok. its fine through my router and with my
>> shared DLS connection but once its on both IE and my FTP client just
>> timesout.
>
> NIS was not designed to be run on a Server.
>
>> I have d-link router with a built in firewall. is this good enough? I am
>> just going through all this for an overkill?
>
> Your D-Link router is probably just a NAT box and not really a firewall.
> The router will allow you to pass 80/444/FTP ports through to the server,
> but it's not going to do much in the way a firewall would.
>
>> I have the virus scanner/adware scanner/spyware scanner/ and all is fine
>> right now.
>>
>> what do you guys think?
>
> I suspect that you don't have server quality Virus Scanner installed, just
> a client virus scanner, you've probably not run the MBSA to determine if
> the machine is locked down, probably not disabled services you don't want
> people using, and you should have renamed the Administrator account and
> forced LARGE NASTY passwords on all accounts on this box.
>
> Look at some of the MS articles on securing a web-server and make sure you
> follow their directions or your going to have a compromised machine in
> short time.
>
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
February 14, 2005 3:18:45 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Good security is about defence in depth.
So have your hardware solution (if it really is one) and also layers of more
hardware and software too.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"paul dallaire" <paul.dallaire@sympatico.ca> wrote in message
news:sjZPd.266$4I5.156824@news20.bellglobal.com...
> HI! I have being having allot of trouble getting the personal firewall of
> (Norton Internet Security) to work with IIS server.
>
> with the PF turned off all is ok. its fine through my router and with my
> shared DLS connection but once its on both IE and my FTP client just
> timesout.
>
> I have d-link router with a built in firewall. is this good enough? I am
> just going through all this for an overkill?
>
> I have the virus scanner/adware scanner/spyware scanner/ and all is fine
> right now.
>
> what do you guys think?
>
>
>
Anonymous
February 14, 2005 3:18:46 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks for the response. :) 


"Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
news:o Fe8q9oEFHA.1348@TK2MSFTNGP14.phx.gbl...
> Good security is about defence in depth.
> So have your hardware solution (if it really is one) and also layers of
> more hardware and software too.
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "paul dallaire" <paul.dallaire@sympatico.ca> wrote in message
> news:sjZPd.266$4I5.156824@news20.bellglobal.com...
>> HI! I have being having allot of trouble getting the personal firewall of
>> (Norton Internet Security) to work with IIS server.
>>
>> with the PF turned off all is ok. its fine through my router and with my
>> shared DLS connection but once its on both IE and my FTP client just
>> timesout.
>>
>> I have d-link router with a built in firewall. is this good enough? I am
>> just going through all this for an overkill?
>>
>> I have the virus scanner/adware scanner/spyware scanner/ and all is fine
>> right now.
>>
>> what do you guys think?
>>
>>
>>
>
>
Anonymous
February 14, 2005 4:36:46 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

OK since I am not sure if it is DMZ here is my configuration. tell what it
is.

My DSL modem's main connection Rs2/32 is plug into the main port in my
D-Link 604 router ( Internet Broadband Router). then the other 2 computers
are coming out of the routers child ports.

First computer running WinXP pro was used to create the network disk to
configure the win98 computer.
both computers are sharing sources and are networked together.

Both computers are sharing the modem through the router. BUT its the WinXP
PRo that starts the DSL modem connection. ( In other words if the winxp pro
computer goes down then the win98 computer can NO longer connect to the
internet.)

With this explanation What is this configuration called? is this a DMZ
What firewall software could be used to help me if needed at first?



"Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in message
news:F146A38B-872B-4122-B196-864E726144F6@microsoft.com...
> Responses below.
>
>> "paul dallaire" wrote:
>>
>>> HI! thanks for the response. what do you suggest as a host firewall for
>>> my
>>> IIS server?
>
> It depends if your Web server is in a DMZ (protected network behind a
> firewall but isolated from your intranet) or connected to your internal
> network.
>
> If it's in a DMZ, the appliance firewall is good enough for starters. This
> would be good enough for most networks.
>
> An added layer of host firewall would help on your Web server if there are
> other devices in the DMZ. If one of those devices ever got hacked, you
> know
> that the Web server has another firewall to defend attacks from it's
> neighboring DMZ servers.
>
> If you go this uber-secure route, Windows 2003 has a built-in firewall
> that
> can block ingress (inbound) attacks. That should do it. Although you
> could
> go nuts and run a CheckPoint or other similar Enterprise-class firewall
> right
> on that system, BUT it's not worth it.
>
>
>>> What is a URLscan and where can I look for the software?
>
> It has saved a bunch of my client's booties and is an awesome Microsoft
> FREE
> application-- (if only Apache had this software)
> http://www.microsoft.com/technet/security/tools/urlscan...
> Description of both tools: http://www.securityfocus.com/infocus/1755
> http://www.microsoft.com/technet/security/tools/locktoo...
>
>
>>> What is a SMB?
> Small-Medium Business
Anonymous
February 14, 2005 4:36:47 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

To answer your original question (Is software firewall nessasery if hardware
is available?), you already have a hardware firewall, the D-Link 604 and
*maybe* you need one on the XP machine if it's running IIS, but I would at
least run URLScan on your IIS server.

You're on a DSL network and it sounds like it's for your small business or
home. I don't suggest anything super expensive, but effective. The DLink is
OK for home use as a firewall, but it's the bare minimum as firewalls go.
Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class
firewalls for small medium business.

For the XP system running IIS, the XP SP2 firewall is sufficient, but know
that it will only protect you from ingress (inbound) threats. Once you get
malware on that system, it can talk out of it all day long. At that point,
you switch to a more powerful software firewall meant for servers.


For your recent question about the DMZ:
1. No, you do not have a DMZ.

Typical DMZs look like:

Multi-homed Firewall/DMZ Design
Internet---FW--intranet
|
DMZ

OR

Sandwich DMZ Design
I---FW--DMZ--FW--i

You have neither, you have:
I--FW (DLink)--i (where your XP/IIS server and 98 systems are)

Your server is directly connected to your end systems and cannot be isolated
by the hardware firewall. This is the reason why people are saying to add a
software firewall--isolation and threat mitigation.

There are a ton of great firewall books that you may want to read.

Good luck!

Hope this helps.

"paul dallaire" wrote:

> OK since I am not sure if it is DMZ here is my configuration. tell what it
> is.
>
> My DSL modem's main connection Rs2/32 is plug into the main port in my
> D-Link 604 router ( Internet Broadband Router). then the other 2 computers
> are coming out of the routers child ports.
>
> First computer running WinXP pro was used to create the network disk to
> configure the win98 computer.
> both computers are sharing sources and are networked together.
>
> Both computers are sharing the modem through the router. BUT its the WinXP
> PRo that starts the DSL modem connection. ( In other words if the winxp pro
> computer goes down then the win98 computer can NO longer connect to the
> internet.)
>
> With this explanation What is this configuration called? is this a DMZ
> What firewall software could be used to help me if needed at first?
>
>
>
> "Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in message
> news:F146A38B-872B-4122-B196-864E726144F6@microsoft.com...
> > Responses below.
> >
> >> "paul dallaire" wrote:
> >>
> >>> HI! thanks for the response. what do you suggest as a host firewall for
> >>> my
> >>> IIS server?
> >
> > It depends if your Web server is in a DMZ (protected network behind a
> > firewall but isolated from your intranet) or connected to your internal
> > network.
> >
> > If it's in a DMZ, the appliance firewall is good enough for starters. This
> > would be good enough for most networks.
> >
> > An added layer of host firewall would help on your Web server if there are
> > other devices in the DMZ. If one of those devices ever got hacked, you
> > know
> > that the Web server has another firewall to defend attacks from it's
> > neighboring DMZ servers.
> >
> > If you go this uber-secure route, Windows 2003 has a built-in firewall
> > that
> > can block ingress (inbound) attacks. That should do it. Although you
> > could
> > go nuts and run a CheckPoint or other similar Enterprise-class firewall
> > right
> > on that system, BUT it's not worth it.
> >
> >
> >>> What is a URLscan and where can I look for the software?
> >
> > It has saved a bunch of my client's booties and is an awesome Microsoft
> > FREE
> > application-- (if only Apache had this software)
> > http://www.microsoft.com/technet/security/tools/urlscan...
> > Description of both tools: http://www.securityfocus.com/infocus/1755
> > http://www.microsoft.com/technet/security/tools/locktoo...
> >
> >
> >>> What is a SMB?
> > Small-Medium Business
>
>
>
Anonymous
February 14, 2005 6:54:43 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HI! what would you suggest as a more powerful software firewall meant for
servers.
If you can give me a few programs names for me to check out.?



"Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in message
news:8B0ADB67-121F-46A8-90D7-51BE1E97A170@microsoft.com...
> To answer your original question (Is software firewall nessasery if
> hardware
> is available?), you already have a hardware firewall, the D-Link 604 and
> *maybe* you need one on the XP machine if it's running IIS, but I would at
> least run URLScan on your IIS server.
>
> You're on a DSL network and it sounds like it's for your small business or
> home. I don't suggest anything super expensive, but effective. The DLink
> is
> OK for home use as a firewall, but it's the bare minimum as firewalls go.
> Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class
> firewalls for small medium business.
>
> For the XP system running IIS, the XP SP2 firewall is sufficient, but know
> that it will only protect you from ingress (inbound) threats. Once you
> get
> malware on that system, it can talk out of it all day long. At that point,
> you switch to a more powerful software firewall meant for servers.
>
>
> For your recent question about the DMZ:
> 1. No, you do not have a DMZ.
>
> Typical DMZs look like:
>
> Multi-homed Firewall/DMZ Design
> Internet---FW--intranet
> |
> DMZ
>
> OR
>
> Sandwich DMZ Design
> I---FW--DMZ--FW--i
>
> You have neither, you have:
> I--FW (DLink)--i (where your XP/IIS server and 98 systems are)
>
> Your server is directly connected to your end systems and cannot be
> isolated
> by the hardware firewall. This is the reason why people are saying to add
> a
> software firewall--isolation and threat mitigation.
>
> There are a ton of great firewall books that you may want to read.
>
> Good luck!
>
> Hope this helps.
>
> "paul dallaire" wrote:
>
>> OK since I am not sure if it is DMZ here is my configuration. tell what
>> it
>> is.
>>
>> My DSL modem's main connection Rs2/32 is plug into the main port in my
>> D-Link 604 router ( Internet Broadband Router). then the other 2
>> computers
>> are coming out of the routers child ports.
>>
>> First computer running WinXP pro was used to create the network disk to
>> configure the win98 computer.
>> both computers are sharing sources and are networked together.
>>
>> Both computers are sharing the modem through the router. BUT its the
>> WinXP
>> PRo that starts the DSL modem connection. ( In other words if the winxp
>> pro
>> computer goes down then the win98 computer can NO longer connect to the
>> internet.)
>>
>> With this explanation What is this configuration called? is this a DMZ
>> What firewall software could be used to help me if needed at first?
>>
>>
>>
>> "Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in message
>> news:F146A38B-872B-4122-B196-864E726144F6@microsoft.com...
>> > Responses below.
>> >
>> >> "paul dallaire" wrote:
>> >>
>> >>> HI! thanks for the response. what do you suggest as a host firewall
>> >>> for
>> >>> my
>> >>> IIS server?
>> >
>> > It depends if your Web server is in a DMZ (protected network behind a
>> > firewall but isolated from your intranet) or connected to your internal
>> > network.
>> >
>> > If it's in a DMZ, the appliance firewall is good enough for starters.
>> > This
>> > would be good enough for most networks.
>> >
>> > An added layer of host firewall would help on your Web server if there
>> > are
>> > other devices in the DMZ. If one of those devices ever got hacked, you
>> > know
>> > that the Web server has another firewall to defend attacks from it's
>> > neighboring DMZ servers.
>> >
>> > If you go this uber-secure route, Windows 2003 has a built-in firewall
>> > that
>> > can block ingress (inbound) attacks. That should do it. Although you
>> > could
>> > go nuts and run a CheckPoint or other similar Enterprise-class firewall
>> > right
>> > on that system, BUT it's not worth it.
>> >
>> >
>> >>> What is a URLscan and where can I look for the software?
>> >
>> > It has saved a bunch of my client's booties and is an awesome Microsoft
>> > FREE
>> > application-- (if only Apache had this software)
>> > http://www.microsoft.com/technet/security/tools/urlscan...
>> > Description of both tools: http://www.securityfocus.com/infocus/1755
>> > http://www.microsoft.com/technet/security/tools/locktoo...
>> >
>> >
>> >>> What is a SMB?
>> > Small-Medium Business
>>
>>
>>
Anonymous
February 14, 2005 6:54:44 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

ISA Server for one.

Personally, I don't use software firewalls alone on servers.

Matt Gibson - GSEC

"paul dallaire" <paul.dallaire@sympatico.ca> wrote in message
news:8c8Qd.6754$4I5.270219@news20.bellglobal.com...
> HI! what would you suggest as a more powerful software firewall meant for
> servers.
> If you can give me a few programs names for me to check out.?
>
>
>
> "Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in message
> news:8B0ADB67-121F-46A8-90D7-51BE1E97A170@microsoft.com...
>> To answer your original question (Is software firewall nessasery if
>> hardware
>> is available?), you already have a hardware firewall, the D-Link 604 and
>> *maybe* you need one on the XP machine if it's running IIS, but I would
>> at
>> least run URLScan on your IIS server.
>>
>> You're on a DSL network and it sounds like it's for your small business
>> or
>> home. I don't suggest anything super expensive, but effective. The
>> DLink is
>> OK for home use as a firewall, but it's the bare minimum as firewalls go.
>> Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class
>> firewalls for small medium business.
>>
>> For the XP system running IIS, the XP SP2 firewall is sufficient, but
>> know
>> that it will only protect you from ingress (inbound) threats. Once you
>> get
>> malware on that system, it can talk out of it all day long. At that
>> point,
>> you switch to a more powerful software firewall meant for servers.
>>
>>
>> For your recent question about the DMZ:
>> 1. No, you do not have a DMZ.
>>
>> Typical DMZs look like:
>>
>> Multi-homed Firewall/DMZ Design
>> Internet---FW--intranet
>> |
>> DMZ
>>
>> OR
>>
>> Sandwich DMZ Design
>> I---FW--DMZ--FW--i
>>
>> You have neither, you have:
>> I--FW (DLink)--i (where your XP/IIS server and 98 systems are)
>>
>> Your server is directly connected to your end systems and cannot be
>> isolated
>> by the hardware firewall. This is the reason why people are saying to add
>> a
>> software firewall--isolation and threat mitigation.
>>
>> There are a ton of great firewall books that you may want to read.
>>
>> Good luck!
>>
>> Hope this helps.
>>
>> "paul dallaire" wrote:
>>
>>> OK since I am not sure if it is DMZ here is my configuration. tell what
>>> it
>>> is.
>>>
>>> My DSL modem's main connection Rs2/32 is plug into the main port in my
>>> D-Link 604 router ( Internet Broadband Router). then the other 2
>>> computers
>>> are coming out of the routers child ports.
>>>
>>> First computer running WinXP pro was used to create the network disk to
>>> configure the win98 computer.
>>> both computers are sharing sources and are networked together.
>>>
>>> Both computers are sharing the modem through the router. BUT its the
>>> WinXP
>>> PRo that starts the DSL modem connection. ( In other words if the winxp
>>> pro
>>> computer goes down then the win98 computer can NO longer connect to the
>>> internet.)
>>>
>>> With this explanation What is this configuration called? is this a DMZ
>>> What firewall software could be used to help me if needed at first?
>>>
>>>
>>>
>>> "Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in
>>> message
>>> news:F146A38B-872B-4122-B196-864E726144F6@microsoft.com...
>>> > Responses below.
>>> >
>>> >> "paul dallaire" wrote:
>>> >>
>>> >>> HI! thanks for the response. what do you suggest as a host firewall
>>> >>> for
>>> >>> my
>>> >>> IIS server?
>>> >
>>> > It depends if your Web server is in a DMZ (protected network behind a
>>> > firewall but isolated from your intranet) or connected to your
>>> > internal
>>> > network.
>>> >
>>> > If it's in a DMZ, the appliance firewall is good enough for starters.
>>> > This
>>> > would be good enough for most networks.
>>> >
>>> > An added layer of host firewall would help on your Web server if there
>>> > are
>>> > other devices in the DMZ. If one of those devices ever got hacked,
>>> > you
>>> > know
>>> > that the Web server has another firewall to defend attacks from it's
>>> > neighboring DMZ servers.
>>> >
>>> > If you go this uber-secure route, Windows 2003 has a built-in firewall
>>> > that
>>> > can block ingress (inbound) attacks. That should do it. Although you
>>> > could
>>> > go nuts and run a CheckPoint or other similar Enterprise-class
>>> > firewall
>>> > right
>>> > on that system, BUT it's not worth it.
>>> >
>>> >
>>> >>> What is a URLscan and where can I look for the software?
>>> >
>>> > It has saved a bunch of my client's booties and is an awesome
>>> > Microsoft
>>> > FREE
>>> > application-- (if only Apache had this software)
>>> > http://www.microsoft.com/technet/security/tools/urlscan...
>>> > Description of both tools: http://www.securityfocus.com/infocus/1755
>>> > http://www.microsoft.com/technet/security/tools/locktoo...
>>> >
>>> >
>>> >>> What is a SMB?
>>> > Small-Medium Business
>>>
>>>
>>>
>
>
Anonymous
February 14, 2005 6:54:44 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

It depends on the application.

Are you a Small-Medium Business or SOHO?
Enterprise?

For SOHO and SMB use:
Microsoft ISA or you can run the built-in firewall for win2k3 and XP.

For Enterprise use:
Microsoft ISA or you can run commercial quality firewall on the server
itself--Check Point Firewall-1 (although it's very expensive and probably
overkill)


I am just going by the title of this thread, but if I were hit the brakes
for a moment, I'd suggest a different route for Web server security in
conjunction with IIS Lockdown and URLScan--Server Intrusion Prevention
Systems (IPS).

Here are some technologies to consider, my favorite being Sana Security
Primary Response:
http://www.sanasecurity.com/

I've tried BlackICE/RealSecure Server Sensor and Okena, but they really play
havoc on the stability of a production network.
http://www.iss.net/products_services/enterprise_protect...
http://cisco.com/en/US/products/sw/secursw/ps5057/index...

When deploying these solutions, I highly suggest using them on learning mode
with alerts, whcih basically relegates this IPS software into an Intrusion
Detection System (IDS).

Other IDS / IPS - Host-based technology:
Cisco Security Agent (fka Okena) - v 4.0
Enterays Dragon Squire - v5.0, 6.x
ISS RealSecure Server Sensor - v5.5, 6.0, 7.0
McAfee Entercept - v 4.x, 5.0
Nagios.org - v1.0
NFR HID - v1.0
Symantec Host IDS (fka ITA) - v3.6
Sana Primary Response – v2.0

"paul dallaire" wrote:

> HI! what would you suggest as a more powerful software firewall meant for
> servers.
> If you can give me a few programs names for me to check out.?
>
>
>
> "Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in message
> news:8B0ADB67-121F-46A8-90D7-51BE1E97A170@microsoft.com...
> > To answer your original question (Is software firewall nessasery if
> > hardware
> > is available?), you already have a hardware firewall, the D-Link 604 and
> > *maybe* you need one on the XP machine if it's running IIS, but I would at
> > least run URLScan on your IIS server.
> >
> > You're on a DSL network and it sounds like it's for your small business or
> > home. I don't suggest anything super expensive, but effective. The DLink
> > is
> > OK for home use as a firewall, but it's the bare minimum as firewalls go.
> > Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class
> > firewalls for small medium business.
> >
> > For the XP system running IIS, the XP SP2 firewall is sufficient, but know
> > that it will only protect you from ingress (inbound) threats. Once you
> > get
> > malware on that system, it can talk out of it all day long. At that point,
> > you switch to a more powerful software firewall meant for servers.
> >
> >
> > For your recent question about the DMZ:
> > 1. No, you do not have a DMZ.
> >
> > Typical DMZs look like:
> >
> > Multi-homed Firewall/DMZ Design
> > Internet---FW--intranet
> > |
> > DMZ
> >
> > OR
> >
> > Sandwich DMZ Design
> > I---FW--DMZ--FW--i
> >
> > You have neither, you have:
> > I--FW (DLink)--i (where your XP/IIS server and 98 systems are)
> >
> > Your server is directly connected to your end systems and cannot be
> > isolated
> > by the hardware firewall. This is the reason why people are saying to add
> > a
> > software firewall--isolation and threat mitigation.
> >
> > There are a ton of great firewall books that you may want to read.
> >
> > Good luck!
> >
> > Hope this helps.
> >
> > "paul dallaire" wrote:
> >
> >> OK since I am not sure if it is DMZ here is my configuration. tell what
> >> it
> >> is.
> >>
> >> My DSL modem's main connection Rs2/32 is plug into the main port in my
> >> D-Link 604 router ( Internet Broadband Router). then the other 2
> >> computers
> >> are coming out of the routers child ports.
> >>
> >> First computer running WinXP pro was used to create the network disk to
> >> configure the win98 computer.
> >> both computers are sharing sources and are networked together.
> >>
> >> Both computers are sharing the modem through the router. BUT its the
> >> WinXP
> >> PRo that starts the DSL modem connection. ( In other words if the winxp
> >> pro
> >> computer goes down then the win98 computer can NO longer connect to the
> >> internet.)
> >>
> >> With this explanation What is this configuration called? is this a DMZ
> >> What firewall software could be used to help me if needed at first?
> >>
> >>
> >>
> >> "Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in message
> >> news:F146A38B-872B-4122-B196-864E726144F6@microsoft.com...
> >> > Responses below.
> >> >
> >> >> "paul dallaire" wrote:
> >> >>
> >> >>> HI! thanks for the response. what do you suggest as a host firewall
> >> >>> for
> >> >>> my
> >> >>> IIS server?
> >> >
> >> > It depends if your Web server is in a DMZ (protected network behind a
> >> > firewall but isolated from your intranet) or connected to your internal
> >> > network.
> >> >
> >> > If it's in a DMZ, the appliance firewall is good enough for starters.
> >> > This
> >> > would be good enough for most networks.
> >> >
> >> > An added layer of host firewall would help on your Web server if there
> >> > are
> >> > other devices in the DMZ. If one of those devices ever got hacked, you
> >> > know
> >> > that the Web server has another firewall to defend attacks from it's
> >> > neighboring DMZ servers.
> >> >
> >> > If you go this uber-secure route, Windows 2003 has a built-in firewall
> >> > that
> >> > can block ingress (inbound) attacks. That should do it. Although you
> >> > could
> >> > go nuts and run a CheckPoint or other similar Enterprise-class firewall
> >> > right
> >> > on that system, BUT it's not worth it.
> >> >
> >> >
> >> >>> What is a URLscan and where can I look for the software?
> >> >
> >> > It has saved a bunch of my client's booties and is an awesome Microsoft
> >> > FREE
> >> > application-- (if only Apache had this software)
> >> > http://www.microsoft.com/technet/security/tools/urlscan...
> >> > Description of both tools: http://www.securityfocus.com/infocus/1755
> >> > http://www.microsoft.com/technet/security/tools/locktoo...
> >> >
> >> >
> >> >>> What is a SMB?
> >> > Small-Medium Business
> >>
> >>
> >>
>
>
>
Anonymous
February 14, 2005 10:11:32 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Mon, 14 Feb 2005 12:11:17 -0500, paul dallaire wrote:

> HI! thanks for the response. Its tell in the docs how to setup a set FTP
> software. IF it does not support it then why have the docs on it?
>
> I am running WIn XP Pro Sp2. not server.

I had a suspicion that you were running a workstation instead of a server.
You're still in the same boat, you also risk your other computers should
the public one become compromised.

Your 604 router is just a simple NAT box with no real firewall installed
and no means to have two network segments - we would call one segment the
LAN and the other the DMZ - typically there is none or little connection
between the DMZ and the LAN, and your non-public computers sit in the LAN
segment. With this type of setup your computers in the DMZ can't reach the
computers in the LAN should a DMZ computer become compromised.

There are ways to build a cheap LAN/DMZ, but you need two routers:

INTERNET
|
ROUTER 1
| < DMZ SEGMENT
| < 192.168.0.0/24
ROUTER 2
| < LAN SEGMENT
| < 192.168.1.0/24

In this setup your LAN computers are able to access the DMZ WEB/FTP
computers, but, unless you make ports back into ROUTER 2, the DMZ
computers can't reach the LAN segment. All computers can reach the
Internet through the routers.

Now, you do understand that your Workstation is limited to 10 sessions at
a time - meaning that your web site is very limited in how many users can
access it?

You might also want to consider using something other than the built-in MS
FTP service - Take a look at FileZilla, it's an OpenSource FTP Server
that runs on the Windows Platform and is much easier and feature rich than
the MS FTP service - and it doesn't require a Windows User Account - since
you're not going to allow anonymous access to the FTP site (it would be
bad to allow FTP Write access to the world).

FileZilla server can be found here:
http://filezilla.sourceforge.net/

--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
February 14, 2005 10:11:33 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HI! Why would you call the d-link a NAT box ? why would they list it as a
Router? can you explain I don't understand.

I do under now about isolating the two.. what would you recommend as a good
router that is low price but good for my situation as a starter. I will in
the future get a good hardware firewall but for now I would like decent
protection.

another thing if I do get another good router can I still use the d-links
firewall between the LAN part as the other more advanced firewall filters
the IIS Servers connections and other Pub connections?



"Leythos" <void@nowhere.lan> wrote in message
news:p an.2005.02.14.19.20.41.420281@nowhere.lan...
> On Mon, 14 Feb 2005 12:11:17 -0500, paul dallaire wrote:
>
>> HI! thanks for the response. Its tell in the docs how to setup a set FTP
>> software. IF it does not support it then why have the docs on it?
>>
>> I am running WIn XP Pro Sp2. not server.
>
> I had a suspicion that you were running a workstation instead of a server.
> You're still in the same boat, you also risk your other computers should
> the public one become compromised.
>
> Your 604 router is just a simple NAT box with no real firewall installed
> and no means to have two network segments - we would call one segment the
> LAN and the other the DMZ - typically there is none or little connection
> between the DMZ and the LAN, and your non-public computers sit in the LAN
> segment. With this type of setup your computers in the DMZ can't reach the
> computers in the LAN should a DMZ computer become compromised.
>
> There are ways to build a cheap LAN/DMZ, but you need two routers:
>
> INTERNET
> |
> ROUTER 1
> | < DMZ SEGMENT
> | < 192.168.0.0/24
> ROUTER 2
> | < LAN SEGMENT
> | < 192.168.1.0/24
>
> In this setup your LAN computers are able to access the DMZ WEB/FTP
> computers, but, unless you make ports back into ROUTER 2, the DMZ
> computers can't reach the LAN segment. All computers can reach the
> Internet through the routers.
>
> Now, you do understand that your Workstation is limited to 10 sessions at
> a time - meaning that your web site is very limited in how many users can
> access it?
>
> You might also want to consider using something other than the built-in MS
> FTP service - Take a look at FileZilla, it's an OpenSource FTP Server
> that runs on the Windows Platform and is much easier and feature rich than
> the MS FTP service - and it doesn't require a Windows User Account - since
> you're not going to allow anonymous access to the FTP site (it would be
> bad to allow FTP Write access to the world).
>
> FileZilla server can be found here:
> http://filezilla.sourceforge.net/
>
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
February 14, 2005 10:12:14 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HI! When you say IIS lockdown does this mean firewall protection?

Is Microsoft ISA an OS Server platform with firewall protection or is a
add-on to an OS such as My WinXP pro or Server?


"Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in message
news:13061289-B33F-4C37-9B0A-0D35CE7412FF@microsoft.com...
> It depends on the application.
>
> Are you a Small-Medium Business or SOHO?
> Enterprise?
>
> For SOHO and SMB use:
> Microsoft ISA or you can run the built-in firewall for win2k3 and XP.
>
> For Enterprise use:
> Microsoft ISA or you can run commercial quality firewall on the server
> itself--Check Point Firewall-1 (although it's very expensive and probably
> overkill)
>
>
> I am just going by the title of this thread, but if I were hit the brakes
> for a moment, I'd suggest a different route for Web server security in
> conjunction with IIS Lockdown and URLScan--Server Intrusion Prevention
> Systems (IPS).
>
> Here are some technologies to consider, my favorite being Sana Security
> Primary Response:
> http://www.sanasecurity.com/
>
> I've tried BlackICE/RealSecure Server Sensor and Okena, but they really
> play
> havoc on the stability of a production network.
> http://www.iss.net/products_services/enterprise_protect...
> http://cisco.com/en/US/products/sw/secursw/ps5057/index...
>
> When deploying these solutions, I highly suggest using them on learning
> mode
> with alerts, whcih basically relegates this IPS software into an Intrusion
> Detection System (IDS).
>
> Other IDS / IPS - Host-based technology:
> Cisco Security Agent (fka Okena) - v 4.0
> Enterays Dragon Squire - v5.0, 6.x
> ISS RealSecure Server Sensor - v5.5, 6.0, 7.0
> McAfee Entercept - v 4.x, 5.0
> Nagios.org - v1.0
> NFR HID - v1.0
> Symantec Host IDS (fka ITA) - v3.6
> Sana Primary Response - v2.0
>
> "paul dallaire" wrote:
>
>> HI! what would you suggest as a more powerful software firewall meant for
>> servers.
>> If you can give me a few programs names for me to check out.?
>>
>>
>>
>> "Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in message
>> news:8B0ADB67-121F-46A8-90D7-51BE1E97A170@microsoft.com...
>> > To answer your original question (Is software firewall nessasery if
>> > hardware
>> > is available?), you already have a hardware firewall, the D-Link 604
>> > and
>> > *maybe* you need one on the XP machine if it's running IIS, but I would
>> > at
>> > least run URLScan on your IIS server.
>> >
>> > You're on a DSL network and it sounds like it's for your small business
>> > or
>> > home. I don't suggest anything super expensive, but effective. The
>> > DLink
>> > is
>> > OK for home use as a firewall, but it's the bare minimum as firewalls
>> > go.
>> > Check eBay for Netscreen-5, Sonicwall, etc. for decent business-class
>> > firewalls for small medium business.
>> >
>> > For the XP system running IIS, the XP SP2 firewall is sufficient, but
>> > know
>> > that it will only protect you from ingress (inbound) threats. Once you
>> > get
>> > malware on that system, it can talk out of it all day long. At that
>> > point,
>> > you switch to a more powerful software firewall meant for servers.
>> >
>> >
>> > For your recent question about the DMZ:
>> > 1. No, you do not have a DMZ.
>> >
>> > Typical DMZs look like:
>> >
>> > Multi-homed Firewall/DMZ Design
>> > Internet---FW--intranet
>> > |
>> > DMZ
>> >
>> > OR
>> >
>> > Sandwich DMZ Design
>> > I---FW--DMZ--FW--i
>> >
>> > You have neither, you have:
>> > I--FW (DLink)--i (where your XP/IIS server and 98 systems are)
>> >
>> > Your server is directly connected to your end systems and cannot be
>> > isolated
>> > by the hardware firewall. This is the reason why people are saying to
>> > add
>> > a
>> > software firewall--isolation and threat mitigation.
>> >
>> > There are a ton of great firewall books that you may want to read.
>> >
>> > Good luck!
>> >
>> > Hope this helps.
>> >
>> > "paul dallaire" wrote:
>> >
>> >> OK since I am not sure if it is DMZ here is my configuration. tell
>> >> what
>> >> it
>> >> is.
>> >>
>> >> My DSL modem's main connection Rs2/32 is plug into the main port in my
>> >> D-Link 604 router ( Internet Broadband Router). then the other 2
>> >> computers
>> >> are coming out of the routers child ports.
>> >>
>> >> First computer running WinXP pro was used to create the network disk
>> >> to
>> >> configure the win98 computer.
>> >> both computers are sharing sources and are networked together.
>> >>
>> >> Both computers are sharing the modem through the router. BUT its the
>> >> WinXP
>> >> PRo that starts the DSL modem connection. ( In other words if the
>> >> winxp
>> >> pro
>> >> computer goes down then the win98 computer can NO longer connect to
>> >> the
>> >> internet.)
>> >>
>> >> With this explanation What is this configuration called? is this a DMZ
>> >> What firewall software could be used to help me if needed at first?
>> >>
>> >>
>> >>
>> >> "Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in
>> >> message
>> >> news:F146A38B-872B-4122-B196-864E726144F6@microsoft.com...
>> >> > Responses below.
>> >> >
>> >> >> "paul dallaire" wrote:
>> >> >>
>> >> >>> HI! thanks for the response. what do you suggest as a host
>> >> >>> firewall
>> >> >>> for
>> >> >>> my
>> >> >>> IIS server?
>> >> >
>> >> > It depends if your Web server is in a DMZ (protected network behind
>> >> > a
>> >> > firewall but isolated from your intranet) or connected to your
>> >> > internal
>> >> > network.
>> >> >
>> >> > If it's in a DMZ, the appliance firewall is good enough for
>> >> > starters.
>> >> > This
>> >> > would be good enough for most networks.
>> >> >
>> >> > An added layer of host firewall would help on your Web server if
>> >> > there
>> >> > are
>> >> > other devices in the DMZ. If one of those devices ever got hacked,
>> >> > you
>> >> > know
>> >> > that the Web server has another firewall to defend attacks from it's
>> >> > neighboring DMZ servers.
>> >> >
>> >> > If you go this uber-secure route, Windows 2003 has a built-in
>> >> > firewall
>> >> > that
>> >> > can block ingress (inbound) attacks. That should do it. Although
>> >> > you
>> >> > could
>> >> > go nuts and run a CheckPoint or other similar Enterprise-class
>> >> > firewall
>> >> > right
>> >> > on that system, BUT it's not worth it.
>> >> >
>> >> >
>> >> >>> What is a URLscan and where can I look for the software?
>> >> >
>> >> > It has saved a bunch of my client's booties and is an awesome
>> >> > Microsoft
>> >> > FREE
>> >> > application-- (if only Apache had this software)
>> >> > http://www.microsoft.com/technet/security/tools/urlscan...
>> >> > Description of both tools: http://www.securityfocus.com/infocus/1755
>> >> > http://www.microsoft.com/technet/security/tools/locktoo...
>> >> >
>> >> >
>> >> >>> What is a SMB?
>> >> > Small-Medium Business
>> >>
>> >>
>> >>
>>
>>
>>
Anonymous
February 15, 2005 12:47:38 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Mon, 14 Feb 2005 16:09:25 -0500, paul dallaire wrote:

> HI! Why would you call the d-link a NAT box ? why would they list it as a
> Router? can you explain I don't understand.

The 604 is just a ROUTER that provides NAT, it's not a firewall, look up
what makes a firewall a firewall sometime. Those types of devices get
marketed as what they feel they can get away with. I won't go into what a
router is, what NAT is, or what a firewall appliance is, you can google
for all of that.

> I do under now about isolating the two.. what would you recommend as a good
> router that is low price but good for my situation as a starter. I will in
> the future get a good hardware firewall but for now I would like decent
> protection.

Any of the cheap units, the under $300 range, offer the same features for
the most part - they are all just NAT boxes. There is no cheap SOHO single
router like the 604 that provides for a full isolated DMZ and LAN areas.
The separation is critical in protecting the LAN from the DMZ. As I showed
in the diagram you can build your own using two cheap routers in series
with each other - the DMZ area is the first router inside the network and
where you put the public machines, the LAN area is on the other side of
the second router.

> another thing if I do get another good router can I still use the d-links
> firewall between the LAN part as the other more advanced firewall filters
> the IIS Servers connections and other Pub connections?

The D-Link 604 is not a firewall, it's a router with NAT. You could use
two D-Link 604 units to build your LAN/DMZ just like I show below (in the
quoted text). You just need to make sure that each network is a different
IP range.

Firewall appliances are costly, starting units run $400+ on average, most
of the good ones run $1700+. Since you are only using a workstation OS and
not a server you've not invested a lot, so a dual router solution would
protect you well enough as long as you lock-down the publicly accessed
system.


> "Leythos" <void@nowhere.lan> wrote in message
> news:p an.2005.02.14.19.20.41.420281@nowhere.lan...
>> On Mon, 14 Feb 2005 12:11:17 -0500, paul dallaire wrote:
>>
>>> HI! thanks for the response. Its tell in the docs how to setup a set FTP
>>> software. IF it does not support it then why have the docs on it?
>>>
>>> I am running WIn XP Pro Sp2. not server.
>>
>> I had a suspicion that you were running a workstation instead of a server.
>> You're still in the same boat, you also risk your other computers should
>> the public one become compromised.
>>
>> Your 604 router is just a simple NAT box with no real firewall installed
>> and no means to have two network segments - we would call one segment the
>> LAN and the other the DMZ - typically there is none or little connection
>> between the DMZ and the LAN, and your non-public computers sit in the LAN
>> segment. With this type of setup your computers in the DMZ can't reach the
>> computers in the LAN should a DMZ computer become compromised.
>>
>> There are ways to build a cheap LAN/DMZ, but you need two routers:
>>
>> INTERNET
>> |
>> ROUTER 1
>> | < DMZ SEGMENT
>> | < 192.168.0.0/24
>> ROUTER 2
>> | < LAN SEGMENT
>> | < 192.168.1.0/24
>>
>> In this setup your LAN computers are able to access the DMZ WEB/FTP
>> computers, but, unless you make ports back into ROUTER 2, the DMZ
>> computers can't reach the LAN segment. All computers can reach the
>> Internet through the routers.
>>
>> Now, you do understand that your Workstation is limited to 10 sessions at
>> a time - meaning that your web site is very limited in how many users can
>> access it?
>>
>> You might also want to consider using something other than the built-in MS
>> FTP service - Take a look at FileZilla, it's an OpenSource FTP Server
>> that runs on the Windows Platform and is much easier and feature rich than
>> the MS FTP service - and it doesn't require a Windows User Account - since
>> you're not going to allow anonymous access to the FTP site (it would be
>> bad to allow FTP Write access to the world).
>>
>> FileZilla server can be found here:
>> http://filezilla.sourceforge.net/
>>
>> --
>> spam999free@rrohio.com
>> remove 999 in order to email me
>>


--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
February 15, 2005 12:47:39 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HI! Thanks allot for all the info. I will read up on things.

Thanks again for all your help :) 

Paul


"Leythos" <void@nowhere.lan> wrote in message
news:p an.2005.02.14.21.56.40.559318@nowhere.lan...
> On Mon, 14 Feb 2005 16:09:25 -0500, paul dallaire wrote:
>
>> HI! Why would you call the d-link a NAT box ? why would they list it as a
>> Router? can you explain I don't understand.
>
> The 604 is just a ROUTER that provides NAT, it's not a firewall, look up
> what makes a firewall a firewall sometime. Those types of devices get
> marketed as what they feel they can get away with. I won't go into what a
> router is, what NAT is, or what a firewall appliance is, you can google
> for all of that.
>
>> I do under now about isolating the two.. what would you recommend as a
>> good
>> router that is low price but good for my situation as a starter. I will
>> in
>> the future get a good hardware firewall but for now I would like decent
>> protection.
>
> Any of the cheap units, the under $300 range, offer the same features for
> the most part - they are all just NAT boxes. There is no cheap SOHO single
> router like the 604 that provides for a full isolated DMZ and LAN areas.
> The separation is critical in protecting the LAN from the DMZ. As I showed
> in the diagram you can build your own using two cheap routers in series
> with each other - the DMZ area is the first router inside the network and
> where you put the public machines, the LAN area is on the other side of
> the second router.
>
>> another thing if I do get another good router can I still use the d-links
>> firewall between the LAN part as the other more advanced firewall filters
>> the IIS Servers connections and other Pub connections?
>
> The D-Link 604 is not a firewall, it's a router with NAT. You could use
> two D-Link 604 units to build your LAN/DMZ just like I show below (in the
> quoted text). You just need to make sure that each network is a different
> IP range.
>
> Firewall appliances are costly, starting units run $400+ on average, most
> of the good ones run $1700+. Since you are only using a workstation OS and
> not a server you've not invested a lot, so a dual router solution would
> protect you well enough as long as you lock-down the publicly accessed
> system.
>
>
>> "Leythos" <void@nowhere.lan> wrote in message
>> news:p an.2005.02.14.19.20.41.420281@nowhere.lan...
>>> On Mon, 14 Feb 2005 12:11:17 -0500, paul dallaire wrote:
>>>
>>>> HI! thanks for the response. Its tell in the docs how to setup a set
>>>> FTP
>>>> software. IF it does not support it then why have the docs on it?
>>>>
>>>> I am running WIn XP Pro Sp2. not server.
>>>
>>> I had a suspicion that you were running a workstation instead of a
>>> server.
>>> You're still in the same boat, you also risk your other computers should
>>> the public one become compromised.
>>>
>>> Your 604 router is just a simple NAT box with no real firewall installed
>>> and no means to have two network segments - we would call one segment
>>> the
>>> LAN and the other the DMZ - typically there is none or little connection
>>> between the DMZ and the LAN, and your non-public computers sit in the
>>> LAN
>>> segment. With this type of setup your computers in the DMZ can't reach
>>> the
>>> computers in the LAN should a DMZ computer become compromised.
>>>
>>> There are ways to build a cheap LAN/DMZ, but you need two routers:
>>>
>>> INTERNET
>>> |
>>> ROUTER 1
>>> | < DMZ SEGMENT
>>> | < 192.168.0.0/24
>>> ROUTER 2
>>> | < LAN SEGMENT
>>> | < 192.168.1.0/24
>>>
>>> In this setup your LAN computers are able to access the DMZ WEB/FTP
>>> computers, but, unless you make ports back into ROUTER 2, the DMZ
>>> computers can't reach the LAN segment. All computers can reach the
>>> Internet through the routers.
>>>
>>> Now, you do understand that your Workstation is limited to 10 sessions
>>> at
>>> a time - meaning that your web site is very limited in how many users
>>> can
>>> access it?
>>>
>>> You might also want to consider using something other than the built-in
>>> MS
>>> FTP service - Take a look at FileZilla, it's an OpenSource FTP Server
>>> that runs on the Windows Platform and is much easier and feature rich
>>> than
>>> the MS FTP service - and it doesn't require a Windows User Account -
>>> since
>>> you're not going to allow anonymous access to the FTP site (it would be
>>> bad to allow FTP Write access to the world).
>>>
>>> FileZilla server can be found here:
>>> http://filezilla.sourceforge.net/
>>>
>>> --
>>> spam999free@rrohio.com
>>> remove 999 in order to email me
>>>
>
>
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
February 15, 2005 12:51:31 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Mon, 14 Feb 2005 15:54:43 -0500, paul dallaire wrote:

> HI! what would you suggest as a more powerful software firewall meant for
> servers.
> If you can give me a few programs names for me to check out.?

Without the experience to understand securing the OS and also setting up a
secure Personal Firewall Application on the workstation you would not be
in good shape for securing the web workstation. Keep in mind, your running
a Workstation version of the Operating System, not a server.

Use of Dual Routers, even the NAT Boxes like the 604 (which is not a
firewall) will provide more protection than a improperly configured
personal firewall application.

If you look at the design that Phil mentions, he shows a DMZ area
separated from the LAN area - in a cheap way you can achieve the same
solution with two routers (like the 604).

--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
February 15, 2005 3:44:19 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Mon, 14 Feb 2005 19:12:14 -0500, paul dallaire wrote:

> HI! When you say IIS lockdown does this mean firewall protection?

Go to the MS web site and search for "IIS LOCKDOWN", it's a tool/method
used to secure IIS, has nothing to do with firewalls.

> Is Microsoft ISA an OS Server platform with firewall protection or is a
> add-on to an OS such as My WinXP pro or Server?

ISA is a firewall that runs on a Server, I do not think it will run on
Windows XP Home or Prof - there is no Windows XP Server version.

--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
February 15, 2005 3:44:20 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HI! ok good I will do that. and thanks again for all the information that
you have given me :) 


"Leythos" <void@nowhere.lan> wrote in message
news:p an.2005.02.15.00.48.30.356092@nowhere.lan...
> On Mon, 14 Feb 2005 19:12:14 -0500, paul dallaire wrote:
>
>> HI! When you say IIS lockdown does this mean firewall protection?
>
> Go to the MS web site and search for "IIS LOCKDOWN", it's a tool/method
> used to secure IIS, has nothing to do with firewalls.
>
>> Is Microsoft ISA an OS Server platform with firewall protection or is a
>> add-on to an OS such as My WinXP pro or Server?
>
> ISA is a firewall that runs on a Server, I do not think it will run on
> Windows XP Home or Prof - there is no Windows XP Server version.
>
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
February 15, 2005 3:44:20 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HI! again one last one. what I am looking for as far as good router.

What should it have at least as far as specs. (Without all the bells and
whisles and mean.)

I was looking online at a store in my city and found one around 400$
canadian.
10/100 8-Port VPN Router RV082 Linksys ( A Division of Sysco Systems)

Security Features: SPI Firewall, DES and 3DES Encryption for IPSec VPN
Tunnel.

Is this sufficient.?





"Leythos" <void@nowhere.lan> wrote in message
news:p an.2005.02.15.00.48.30.356092@nowhere.lan...
> On Mon, 14 Feb 2005 19:12:14 -0500, paul dallaire wrote:
>
>> HI! When you say IIS lockdown does this mean firewall protection?
>
> Go to the MS web site and search for "IIS LOCKDOWN", it's a tool/method
> used to secure IIS, has nothing to do with firewalls.
>
>> Is Microsoft ISA an OS Server platform with firewall protection or is a
>> add-on to an OS such as My WinXP pro or Server?
>
> ISA is a firewall that runs on a Server, I do not think it will run on
> Windows XP Home or Prof - there is no Windows XP Server version.
>
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
February 15, 2005 3:44:21 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

For home use, look on eBay for a Netscreen-5, Watchguard SOHO, or a
SonicWall and it you run you about $400.

I forgot you were running XP. Try XP SP2 and it's firewall.

"paul dallaire" wrote:

> HI! again one last one. what I am looking for as far as good router.
>
> What should it have at least as far as specs. (Without all the bells and
> whisles and mean.)
>
> I was looking online at a store in my city and found one around 400$
> canadian.
> 10/100 8-Port VPN Router RV082 Linksys ( A Division of Sysco Systems)
>
> Security Features: SPI Firewall, DES and 3DES Encryption for IPSec VPN
> Tunnel.
>
> Is this sufficient.?
>
>
>
>
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:p an.2005.02.15.00.48.30.356092@nowhere.lan...
> > On Mon, 14 Feb 2005 19:12:14 -0500, paul dallaire wrote:
> >
> >> HI! When you say IIS lockdown does this mean firewall protection?
> >
> > Go to the MS web site and search for "IIS LOCKDOWN", it's a tool/method
> > used to secure IIS, has nothing to do with firewalls.
> >
> >> Is Microsoft ISA an OS Server platform with firewall protection or is a
> >> add-on to an OS such as My WinXP pro or Server?
> >
> > ISA is a firewall that runs on a Server, I do not think it will run on
> > Windows XP Home or Prof - there is no Windows XP Server version.
> >
> > --
> > spam999free@rrohio.com
> > remove 999 in order to email me
> >
>
>
>
Anonymous
February 15, 2005 2:49:43 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Mon, 14 Feb 2005 22:36:28 -0500, paul dallaire wrote:

> HI! again one last one. what I am looking for as far as good router.
>
> What should it have at least as far as specs. (Without all the bells and
> whisles and mean.)
>
> I was looking online at a store in my city and found one around 400$
> canadian.
> 10/100 8-Port VPN Router RV082 Linksys ( A Division of Sysco Systems)
>
> Security Features: SPI Firewall, DES and 3DES Encryption for IPSec VPN
> Tunnel.
>
> Is this sufficient.?

Here's the deal, since you are not running a real web server, since it's
only a workstation that can only support 10 connections, and since you
have a couple other PC's you want to protect from the web workstation in
case it gets compromised, get yourself two generic NAT ROUTERS and just
just those. Most of the routers under $100 each come with SPI. Since you
don't need a router that does IPSec tunnels you don't need to pay for that
feature - your 604 or the Linksys BEFSR41 units are cheap, provide NAT,
and do enough.

The VPN Router you mention doesn't have any protective measures that the
604/BEFSR41 units don't have. Since they are not firewall's you really
don't have many options that you can work with.

Just use the two routers in series with the DMZ off the first and the LAN
off the second.

--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
February 15, 2005 6:06:05 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HI! Thanks allot for all the advice I will do the mentioned setup.

Thanks again :) 

Paul Dallaire


"paul dallaire" <paul.dallaire@sympatico.ca> wrote in message
news:Z4eQd.7059$4I5.372431@news20.bellglobal.com...
> HI! again one last one. what I am looking for as far as good router.
>
> What should it have at least as far as specs. (Without all the bells and
> whisles and mean.)
>
> I was looking online at a store in my city and found one around 400$
> canadian.
> 10/100 8-Port VPN Router RV082 Linksys ( A Division of Sysco Systems)
>
> Security Features: SPI Firewall, DES and 3DES Encryption for IPSec VPN
> Tunnel.
>
> Is this sufficient.?
>
>
>
>
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:p an.2005.02.15.00.48.30.356092@nowhere.lan...
>> On Mon, 14 Feb 2005 19:12:14 -0500, paul dallaire wrote:
>>
>>> HI! When you say IIS lockdown does this mean firewall protection?
>>
>> Go to the MS web site and search for "IIS LOCKDOWN", it's a tool/method
>> used to secure IIS, has nothing to do with firewalls.
>>
>>> Is Microsoft ISA an OS Server platform with firewall protection or is a
>>> add-on to an OS such as My WinXP pro or Server?
>>
>> ISA is a firewall that runs on a Server, I do not think it will run on
>> Windows XP Home or Prof - there is no Windows XP Server version.
>>
>> --
>> spam999free@rrohio.com
>> remove 999 in order to email me
>>
>
>
Anonymous
February 15, 2005 11:15:16 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

paul dallaire wrote:
> HI! I have being having allot of trouble getting the personal firewall of
> (Norton Internet Security) to work with IIS server.
>
> with the PF turned off all is ok. its fine through my router and with my
> shared DLS connection but once its on both IE and my FTP client just
> timesout.
>
> I have d-link router with a built in firewall. is this good enough? I am
> just going through all this for an overkill?
>
> I have the virus scanner/adware scanner/spyware scanner/ and all is fine
> right now.
>
> what do you guys think?
>
>
>


If you use a router with NAT, it's still a very good idea to use a
3rd party software firewall. Like WinXP's built-in firewall,
NAT-capable routers do nothing to protect the user from him/herself (or
any "curious," over-confident teenagers in the home). Again -- and I
*cannot* emphasize this enough -- almost all spyware and many Trojans
and worms are downloaded and installed deliberately (albeit unknowingly)
by the user. So a software firewall, such as Sygate or ZoneAlarm, that
can detect and warn the user of unauthorized out-going traffic is an
important element of protecting one's privacy and security. (Remember:
Most antivirus applications do not even scan for or protect you from
adware/spyware, because, after all, you've installed them yourself, so
you must want them there, right?)

I use both a router with NAT and Sygate Personal Firewall, even
though I generally know better than to install scumware. When it comes
to computer security and protecting my privacy, I prefer the old "belt
and suspenders" approach. In the professional IT community, this is
also known as a "layered defense." Basically, it comes down to never,
ever "putting all of your eggs in one basket."


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
!