Server Firewall

Server Firewall

Post by Nesw.Blueyonde » Wed, 11 Jun 2003 18:31:31



Hi all, at the moment i am using Zone Alarm Pro as a Firewall on my Win 200
Adv server,

1) Is this sufficient?

2) What  is the best Software firewall out there.

3) What is the best software/hardware configuration for my server.

Thanks

Braindead.

 
 
 

Server Firewall

Post by ObiWa » Wed, 11 Jun 2003 22:25:19


Quote:> Hi all, at the moment i am using Zone Alarm Pro
> as a Firewall on my Win 200 Adv server,

:-P

Quote:

> 1) Is this sufficient?
> 2) What  is the best Software firewall out there.
> 3) What is the best software/hardware configuration for my server.
> Braindead.

Well, if you're braindead (as for the sig) just remove any
firewall, otherwise have a look at www.idrci.net and maybe
you'll find something more "suitable" with your config ;-) btw
here I'm talking about (dedicated) server protection, in any
case you may as well look at http://tinyurl.com/cp0j to find
a built-in w2k protection method which combined with some
carefully crafted ACLs could really allow you to secure your
system as needed (and don't forget to use a good AV/AT)

--

* ObiWan

DNS "fail-safe" for Windows 2000 and 9X clients.
http://ntcanuck.com

408 XP/2000 tweaks and tips
http://ntcanuck.com/tq/Tip_Quarry.htm

 
 
 

Server Firewall

Post by Ida » Wed, 11 Jun 2003 23:07:53


Installing a personal firewall on the server using Windows OS may kill your
clients. But without a firewall, it is very dangerous because there are so
many known and unknow security problems in Windows OS. You'd better put a
firewall between your server and Internet, and set up strict rules so that
only specific traffic can go through the firewall.

There is a firewall called ITShield firewall (http://www.itshield.com).
Because application proxy provides the highest level of security and
flexibility, ITShield Firewall handles all the sessions in application-level
by default. ITShield Firewall can handle more than 5000 TCP sessions,
unlimited UDP sessions, and unlimited IP sessions at application-level in
parallel. Furthermore, ITShield Firewall can drop the unwanted requests at
packet level. If the high-speed network traffic keeps the firewall very
busy, the administrator can enable Stateful Inspection.

ITShield firewall has about 20 proxies for HTTP, FTP, SSL etc. These proxies
only allow well-formatted data to go through the firewall. For example,
proxy_http only relays HTTP-data. Some proxies provide options for you to
set so that they can disallow some dangerous operations. For example, by
using proxy_ftp, it is very easy to set up a list-only ftp server.
ITShield Firewall generates clear and descriptive log. It is very helpful
for administrators to trace the activities of hackers and block their
further attacks.

ITShield Firewall supports User Authentication, PPTP VPN and IPSEC VPN. It
is very easy for you to configure them.

ITShield firewall has a secure remote administration tool so that you can
manage the firewall from anywhere in Internet.

Ida


Quote:

> > Hi all, at the moment i am using Zone Alarm Pro
> > as a Firewall on my Win 200 Adv server,

> :-P

> > 1) Is this sufficient?
> > 2) What  is the best Software firewall out there.
> > 3) What is the best software/hardware configuration for my server.

> > Braindead.

> Well, if you're braindead (as for the sig) just remove any
> firewall, otherwise have a look at www.idrci.net and maybe
> you'll find something more "suitable" with your config ;-) btw
> here I'm talking about (dedicated) server protection, in any
> case you may as well look at http://tinyurl.com/cp0j to find
> a built-in w2k protection method which combined with some
> carefully crafted ACLs could really allow you to secure your
> system as needed (and don't forget to use a good AV/AT)

> --

> * ObiWan

> DNS "fail-safe" for Windows 2000 and 9X clients.
> http://ntcanuck.com

> 408 XP/2000 tweaks and tips
> http://ntcanuck.com/tq/Tip_Quarry.htm

 
 
 

Server Firewall

Post by ObiWa » Thu, 12 Jun 2003 00:03:15


Quote:> There is a firewall called ITShield firewall (http://www.itshield.com).
> Because application proxy provides the highest level of security and

Ok I won't start a debate here but ... where's the difference between
a *good & solid* STATEFUL packet filter and that critter ? If you know
how to setup filtering rules there's no need for proxies or the like imo.

In any case ... that was just my 2 cents, free of using whatever you like

 
 
 

Server Firewall

Post by ObiWa » Thu, 12 Jun 2003 00:07:02


Quote:> In any case ... that was just my 2 cents, free of using whatever you like

And I forgot .. the CHX I suggested is made in Canada .. where
do that critter you suggested come out from ? And would it work
on a w2k server as for the original question or does it need a
separate machine ? In the latter case I'd go for IPCop :-)
 
 
 

Server Firewall

Post by Richard H Mill » Thu, 12 Jun 2003 00:52:59


: > There is a firewall called ITShield firewall (http://www.itshield.com).
: > Because application proxy provides the highest level of security and

: Ok I won't start a debate here but ... where's the difference between
: a *good & solid* STATEFUL packet filter and that critter ? If you know
: how to setup filtering rules there's no need for proxies or the like imo.

: In any case ... that was just my 2 cents, free of using whatever you like

Also bear in mids that there are some real objections to application proxy firewalls
based on latency [since the proxy must pretend to be the real object] and the
fact you must potentially create a application proxy for every service that needs
to be let in [or out if you have a policy that requires it.]

Having been doing this for 10-15 years, I would object to terms such as 'highest
level of security' and the blanket claims made here that this product is the solution
to everything. Application proxy firewalls are important for some things but do not
provide the 'highest level of security'. This is why most enterprise level firewall
implementations are now a mixture of packet filters, stateful packet filters, stateful
packet filters with application awarness and application proxies. The end user needs
to decide what is appropiate to mmeet their requirements.

I also am getting a little tired of the same boilerplate on the product being tossed
into threads without any attempt to discuss the specifics of the thread.

 
 
 

Server Firewall

Post by ObiWa » Thu, 12 Jun 2003 01:29:32


Quote:> Having been doing this for 10-15 years, I would object to terms such as
'highest
> level of security' and the blanket claims made here that this product is
the solution
> to everything. Application proxy firewalls are important for some things
but do not
> provide the 'highest level of security'. This is why most enterprise level
firewall
> implementations are now a mixture of packet filters, stateful packet
filters, stateful
> packet filters with application awarness and application proxies. The end
user needs
> to decide what is appropiate to mmeet their requirements.

> I also am getting a little tired of the same boilerplate on the product
being tossed
> into threads without any attempt to discuss the specifics of the thread.

Agreed, as I wrote I wasn't try to "push" the product whose link
I posted, I suggested it just because for personal experience
I consider it good enough, btw as I wrote, anyone is free to pick
the s/w (s)he likes more and imo an NG discussion shouldn't
become an attempt to promote products ... otherwise we'd better
leave the keyboards to some salespersons and let 'em "fight &
flame" at will :-)
 
 
 

Server Firewall

Post by Ida » Thu, 12 Jun 2003 02:09:50


Stateful Packet Inspection firewall is also called Dynamic Packet Filter
firewall. Bacause static packet filter firewall can not handle some
multi-port applications very well, such as FTP and IRC. In order to solve
this problem, dynamic packet filter firewalls monitors and modifies some
application data in packet level, and dynamically opens ports if necessary.
For example, they monitor PORT command from client and PASV response from
server. Besides, they assume that the command or the response are carried in
one packet but none of these application protocols requires this. One of the
most disadvantages of packet filter firewalls is that logged information is
not descriptive enough.

The application gateway firewall operates on the application level, and
checks whether the data follows corresponding protocol or not.

The differences of these 2 types of firewalls are:
1. In application gateway firewall, the direct connection between the client
and the server is disallowed. The firewall connects to the server only after
the 3-setp TCP shakehanding is done between the client and the firewall.
Therefore, the server is not affected by some DoS attacks like Syn-flood.
However, dynamic packet filter firewall has to foreward the syn request to
the server if the firewall allows this service. therefore the server may be
attacked and not work well before the firewall detects the syn-flood.
2. Application gateway firewall only allows well-formatted application data,
and regenerate the packets. So that the session data  will not be passed the
server if the data does not follow the correspending protocol. Some attacks
like tiny fragment attack and voerlapping fragment attack are useless to
application gateway firewall.
3. Application gateway firewall has better controllability. The firewall
provides options for administrators to set so that they can disallow some
dangerous operations. For example, the administrator can disallow DELETE
request of HTTP to send to his http server, and disallow any WRITE
operations to his ftp server from Internet.
4. The application gateway firewall generates clear and descriptive log. It
is very helpful for administrators to trace the activities of hackers and
block their further attacks.

Now some of advanced firewalls like Checkpoint, support application gateway
firewall. For example, when the firewalls are required to do HTTP-URL check.
But in this cases, they only allow small number of concurrent connections.

But ITShield firewall (http://www.itshield.com) handles all the sessions in
application-level by default. It can handle more than 5000 TCP sessions,
unlimited UDP sessions, and unlimited IP sessions at application-level in
parallel.

We need a firewall because we want the best protection for our networks.

Ida


Quote:> > There is a firewall called ITShield firewall (http://www.itshield.com).
> > Because application proxy provides the highest level of security and

> Ok I won't start a debate here but ... where's the difference between
> a *good & solid* STATEFUL packet filter and that critter ? If you know
> how to setup filtering rules there's no need for proxies or the like imo.

> In any case ... that was just my 2 cents, free of using whatever you like

 
 
 

Server Firewall

Post by James Gran » Thu, 12 Jun 2003 03:15:15


Ida,

You should consider adding in your signature that you work for
itshield.com. That way, when you recommend your own product,
people know you have an interest in it and you're not a happy
user spreading the good news.

James Grant
(8Signs Ltd.)

 
 
 

Server Firewall

Post by Ida » Thu, 12 Jun 2003 04:01:50


Hello,

I am Ida Young, support of ITShield. The reason I joined this company is
that I am convinced it is a good firewall. I have never thought my signature
is important to you and other readers. What I concerns is whether what I
have said is true. It will be pity that you trust whatever Allan Cox says. I
mean even a famous person like Allan Cox may make a little mistake.

If I said anything wrong, please give me a shout.

Ida


Quote:> Ida,

> You should consider adding in your signature that you work for
> itshield.com. That way, when you recommend your own product,
> people know you have an interest in it and you're not a happy
> user spreading the good news.

> James Grant
> (8Signs Ltd.)

 
 
 

Server Firewall

Post by Ida » Thu, 12 Jun 2003 04:04:43


Hello Richard,

First, I should point out that ITShield firewall is not a pure application
gateway firewall. It is a hybrid firewall. But it handles all the sessions
in application-level by default. Furthermore, ITShield Firewall can drop the
unwanted requests at packet level. If the high-speed network traffic keeps
the firewall very busy, the administrator can enable Stateful Inspection.

Second, yes, network performance is degraded. Because application gateway
firewall examines the contents of all application level messages across the
firewall, network connection speed will be affected. It may not be fast
enought to handle high-speed network traffic such as OC3 or ATM network
without enabling Stateful Inspection in ITShield firewall. But it is not a
problem in ISDN, ADSL, T1 and T3 network.

We know there are some serious issues for an application gateway firewall to
have to face, such as having difficulty in handling high number of
concurrent sessions, handling UDP traffic, and monitoring many different
services. But ITShield firewall solves these issues smoothly. It can handle
more than 5000 TCP sessions, unlimited UDP sessions, and unlimited IP
sessions at application-level in parallel. It can listen on all 65535 TCP
ports and 65535 UDP ports, and provides all 65535 TCP services, 65535 UDP
service, and other IP protocols in the same time in application level.

Can you kindly let us know what other issues you have experienced are. Your
opinions are very valuable to us, and we want to provide our customers the
best firewall.

Thanks in advance

Ida




> : > There is a firewall called ITShield firewall

(http://www.itshield.com).
Quote:> : > Because application proxy provides the highest level of security and

> : Ok I won't start a debate here but ... where's the difference between
> : a *good & solid* STATEFUL packet filter and that critter ? If you know
> : how to setup filtering rules there's no need for proxies or the like
imo.

> : In any case ... that was just my 2 cents, free of using whatever you
like

> Also bear in mids that there are some real objections to application proxy
firewalls
> based on latency [since the proxy must pretend to be the real object] and
the
> fact you must potentially create a application proxy for every service
that needs
> to be let in [or out if you have a policy that requires it.]

> Having been doing this for 10-15 years, I would object to terms such as
'highest
> level of security' and the blanket claims made here that this product is
the solution
> to everything. Application proxy firewalls are important for some things
but do not
> provide the 'highest level of security'. This is why most enterprise level
firewall
> implementations are now a mixture of packet filters, stateful packet
filters, stateful
> packet filters with application awarness and application proxies. The end
user needs
> to decide what is appropiate to mmeet their requirements.

> I also am getting a little tired of the same boilerplate on the product
being tossed
> into threads without any attempt to discuss the specifics of the thread.

 
 
 

Server Firewall

Post by James Gran » Thu, 12 Jun 2003 04:51:18



> Hello,

> I am Ida Young, support of ITShield.

Welcome to the newsgroup, Ida Young of ITShield.

Quote:> The reason I joined this company is
> that I am convinced it is a good firewall. I have never thought my signature
> is important to you and other readers.

The importance is to the reader who needs to know
why you like the product you recommend. They deserve
to know why you're not recommending other good firewalls.

Quote:> What I concerns is whether what I
> have said is true.

Fair enough, but look at it this way - in court, when you are
sworn in, you swear more than to tell the truth, you swear to
tell the whole truth (and nothing but the truth).

Quote:> It will be pity that you trust whatever Allan Cox says. I
> mean even a famous person like Allan Cox may make a little mistake.

Who's Allan Cox?

Quote:> If I said anything wrong, please give me a shout.

> Ida

(snip)

Sure.

James Grant

 
 
 

Server Firewall

Post by Wolfgang Kuete » Thu, 12 Jun 2003 06:15:52



> Installing a personal firewall on the server using Windows OS may kill
> your clients. But without a firewall, it is very dangerous because there
> are so many known and unknow security problems in Windows OS.

How do you know, have you analysed the source code? BTW, have you told
Micro$oft about these security problems?

Quote:> You'd better
> put a firewall between your server and Internet, and set up strict rules
> so that only specific traffic can go through the firewall.

[x] Please define firewall.

Quote:> There is a firewall called ITShield firewall (http://www.itshield.com).

Oooops, a sales droid, how funny.

Quote:> [itshield is said to do this and that]

Could you please answer the following questions:

- Is the source code of the product availiable?
- What kind of cryptographic algorithms are used in the product?
- What operationg system is used?
- What kind of hardening of the operating system is nessessary?

Sorry, but please do your sales training elsewhere, this is a technical
group.

Wolfgang

 
 
 

Server Firewall

Post by Ida » Thu, 12 Jun 2003 07:14:35


Hello Wolfgang,

Quote:> - Is the source code of the product availiable?

No, it is not open source software. Is the source code of CheckPoint open?

Quote:> - What kind of cryptographic algorithms are used in the product?

No, every proxy in ITShield firewall has to speak the corresponding
protocol. For example, proxy_ftp has to regenerate ftp data in plain.
Otherwise the client and server will not understand the data sent by the
firewall. Were you talking about VPN? Our IPSEC VPN and PPTP VPN have to
follow the corresponding protocols. Otherwise, IPSEC tunnel and PPTP
connection can not be establish.

Quote:> - What operationg system is used?

Linux

Quote:> - What kind of hardening of the operating system is nessessary?

ITShield firewall for Intel is based on Kernel 2.4.19, and ITShield firewall
for Sun 64-bit machines is based on Kernel 2.4.20. Some unnecessary
functionalities of the original kernel is disabled. The core part of the
firewall is loaded as a module called ip_firewall.

Ida



> > Installing a personal firewall on the server using Windows OS may kill
> > your clients. But without a firewall, it is very dangerous because there
> > are so many known and unknow security problems in Windows OS.

> How do you know, have you analysed the source code? BTW, have you told
> Micro$oft about these security problems?

> > You'd better
> > put a firewall between your server and Internet, and set up strict rules
> > so that only specific traffic can go through the firewall.

> [x] Please define firewall.

> > There is a firewall called ITShield firewall (http://www.itshield.com).

> Oooops, a sales droid, how funny.

> > [itshield is said to do this and that]

> Could you please answer the following questions:

> - Is the source code of the product availiable?
> - What kind of cryptographic algorithms are used in the product?
> - What operationg system is used?
> - What kind of hardening of the operating system is nessessary?

> Sorry, but please do your sales training elsewhere, this is a technical
> group.

> Wolfgang

 
 
 

Server Firewall

Post by Wolfgang Kuete » Thu, 12 Jun 2003 18:52:44



> Hello Wolfgang,

>> - Is the source code of the product availiable?
> No, it is not open source software. Is the source code of CheckPoint open?

Of course not and therefore the question is allowed: Can you trust
Checkpoint (or any other vendor who does not publish the source)?

Quote:>> - What kind of cryptographic algorithms are used in the product?
> No, every proxy in ITShield firewall has to speak the corresponding
> protocol. For example, proxy_ftp has to regenerate ftp data in plain.
> Otherwise the client and server will not understand the data sent by the
> firewall. Were you talking about VPN? Our IPSEC VPN and PPTP VPN have to
> follow the corresponding protocols. Otherwise, IPSEC tunnel and PPTP
> connection can not be establish.

I was talking about the 'secure remote adminsitration' you mentioned. This
usually requires cryptography.

Quote:>> - What operationg system is used?
> Linux

>> - What kind of hardening of the operating system is nessessary?
> ITShield firewall for Intel is based on Kernel 2.4.19, and ITShield
> firewall for Sun 64-bit machines is based on Kernel 2.4.20. Some
> unnecessary functionalities of the original kernel is disabled. The core
> part of the firewall is loaded as a module called ip_firewall.

If you diable kernel functionality of a Linux system I'm afraid you have to
publish the source code according to the GPL.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980

 
 
 

1. Wb Server / Database Server / Firewall

I am looking for a document to help justify the need for an
environment which consists of two separate machines for Web and
Database.

We want the web server to sit in the DMZ and the database server to
sit behind the firewall.  The customer is asking...why can't they just
exist on the same box?

The quick answer is that the 'split' environment is more secure,
providing greater protection to the data.  And this is important to
them.

Anyhow, as stated, I was looking to find something that would help me
justify this approach.  TIA.

2. Intellimirror and non-microsoft products

3. Questions on Proxy Server/Firewall/Websense

4. !!!!!!!!!!!!!!!

5. Server firewall?

6. Nationwide Cellular Plans

7. Win2000 Server Firewall question

8. Unable to open attachments

9. Sonicwall XPRS2 as a web server firewall?

10. Summary: NATS, proxy servers, firewalls

11. NT 4.0 Beta 2 Server - Firewall

12. Proxy Server - Firewall

13. client / server firewall