|
Posted by Stephan Carydakis on April 1, 2005, 12:54 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> On Fri, 01 Apr 2005 08:05:52 +1000, Stephan Carydakis wrote:
> >
> > I have recently needed to install a firewall on my home puter (Win2k AS)
> > as there was allot of unwanted traffic coming in (especially to MS-SQL
> > server) on my aDSL connection.
>
> Very bad move - there is no PERSONAL Firewall application that should be
> run on a Server that is going to be totally compliant with the OS. In
> fact, I think that ZA specifically stats that it's not for a server.
>
I do realise that it is not the best idea to run a firewall on a server.
Even though I do work from home occassionally and I do support a client on
this machine, I dont want (or need) to set up anything more serious than
what I have at the moment. I do have and old P3 celery stick which I run win
98 on to do testing sometimes. Maybe I will use this?
> Windows 2000 Advanced Server is quite a nice setup, I have more than 12 of
> them here. At the very least you need to setup a barrier appliance in
> front of your network to block unsolicited traffic BEFORE it reaches your
> network.
>
If I do this, I would have to setup routing from that machine to my inside
network yes? My Win2k box is multi-homed and also run wins, dhcp, dns and is
a DC. I also used to have MS's routing and remote access doing my routing
between my 'outside' network and my internal network but it was fickle and
often used to break. Not knowing enough about routing and route tables, I
used to have to reboot my machine to get the routes back when they broke.
> If you didn't have a firewall in place, or even a simple NAT Router, and
> your server was online, I would suspect that your server is already
> compromised, even if you don't personally see it.
My modem does NAT . It is a netcomm nb 1300
> First step is to get a barrier device that works with your DSL service -
> most of the Linksys units (BEFSR41 as an example) will directly connect to
> a DSL PPOE service and maintain the connection. You can then setup port
> forwarding to allow just the ports you want the public to access through
> to the server (never allow ANY SQL ports access via public connections).
I haven't added any forwads on the modem. I'll have to have a look. Its got
a nice HTML interface for setting it up.
> Once you get the Router/NAT you won't need a personal firewall running on
> your server, but, unless you really understand security you are going to
> get compromised in short order - the service patches and updates don't
> secure the server. IIS is easy to compromise on a default install system,
> please look for how to secure IIS, MS has many articles on it.
Used the IIS lockdown tool.
> You might also want to block outbound ports 135~139,445,1433/1434 so that
> when your server gets compromised, that it can't use simple means to get
> to other machines.
>
> Also, don't settle for personal AV software, get a quality SERVER type
> antivirus application to protect it.
I like Virus Scan Enterprise 8, It has access protection, buffer overflow
protection and unwanted programs policies and block ports.
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
Thanks for your advice. Given that in the short term I'm probably going to
have to run a firewall on the server, can you recommend any?
Thanks again,
Steph.
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map