Slashdot Mirror

← Back to Stories (view on slashdot.org)

What is the Best Firewall for Servers?

Posted by Cliff on from the hot-protection-for-heavy-iron dept.

Sushant Bhatia asks: "I maintain a bunch of servers (Win 2003/XP Pro) at our labs in the university. Of late, the number of attacks on the computers has been more noticeable. The university provides firewall software (Kerio) but that doesn't work with Win 2003 (works with XP). And so we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts :-). So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"

9 of 673 comments (clear)

  1. Opensource firewall by Anonymous Coward · · Score: 1, Interesting

    Maybe the question we need to ask ourselves is: why isn't there a quality open source firewall implementation for Windows. Since there are a number of shareware and comercial firewalls, it can't be too hard to write. Why hasn't anyone started WinFire.sf.net project and created one. I'm sure it would blast all the crappy commercial ones away in no time while end users would benefit greatly.

    Any takers?

  2. Re:Use a *separate* firewall box. by gl4ss · · Score: 2, Interesting

    exactly my thoughts.

    from what it sounds like he just wants incoming ports blocked(being hit by zombies).

    30$ should buy an external fw/nat box with simple rules - a little more and you could get some similar router&on board firewall combos that run on top of linux too.. should fit the bill pretty well.

    well, blocking incoming ports should be doable with windows own built in fw too.. so maybe he just would want a free kerio or something - you know, with fancy menus and crappy threat detection and popups to piss you off.

    --
    world was created 5 seconds before this post as it is.
  3. Re:Does it cost less than US$100? by JohnsonWax · · Score: 2, Interesting

    Did you miss the part about how he works for a school? He has to get the money before it can be invested, and $100 might be the limit above which he has to get the approval of 3 PHBs and 6 beancounters.

    Or maybe you missed the part about how the attacks are coming from other departments, over which he has no authority, and who obviously don't place a high value on security?

    I work at a university, so I know the game.

    I would recharge the other department $50 for 'security services' each IP they fail to protect that touches my box. Include a printout of the log proving it's their box.

    Either of two things will happen:

    1) They'll pay up because they aren't paying attention.
    2) They'll bitch like hell at your boss which will cause him/her to approve the budget request, or will get him/her to move up the food chain and get the funds from a common source.

    Either way, the money shows up, the problem gets solved. In fact, it'll probably also solve the zombie problem by bringing such high attention to it.

  4. Re:OpenBSD, of course! by squidfood · · Score: 3, Interesting
    They seem to be referring to software to put on existing servers. It would be hard to build a decent OpenBSD machine for under $100 US.

    It was $30+OpenBSD donation for me. That was the cost government surplus PIII-450s with enough RAM and HD space for moderate use. It would be a rare university that didn't have machines like that lying around.

  5. Re:Also IPCOP by crabpeople · · Score: 3, Interesting

    "I've used smoothwall for a while and I was very satisfied with it. But at some moment, it stopped working. The ADSL connection couldn't be established anymore."

    Actually the same thing happened to me. Well sort of the same (my connection uses DHCP). My problem was that the webpage configuration never came up. I finaly figured out that this was because my 100mb /var/log was full!

    Clearing that out made the smoothy run fine again. It has since happened a few more times and everytime i just have to clear out all the logs. That said, while the disk was full, it was still routing traffic as expected for months before i discovered the issue.

    The one thing I would like to see would be a better way of tracking all the connections being setup and torn down by the machine, realtime, say logging to a console window. I used to have a dubbele NETBSD firewall ( http://firewall.dubbele.com/ ) that, becasue of the firewall package on there (vastly superior to iptables IMHO) i could run a simple command (ipmon -o N) and it would list everything going on. very cool. I know about IP contrak mod for smoothwall but on a webpage just doesnt have the same cool feel as realtime. Its nice to catch all those EA games you have calling home when you launch them :)

    Anyways the one story i love to tell about the netbsd machine was that the hard drive failed on it months before i found out. The machine was running flawlessly until i rebooted it for some reason and got a nice primary HDD fail in the bios. The last timestamp for a file on the HDD was like 8 months previous.

    --
    I'll just use my special getting high powers one more time...
  6. Re:at the risk of getting flamed into submission.. by nocomment · · Score: 4, Interesting

    I have an OpenBSD router here at work that I built, and I will vouch for it's performance. We have been hit by Drudge and /. a few times, and even though none of the websites or mail servers would work I was able to poke around in the firewall with no noticable lag. We had over 10,000 ACTIVE states in the table, and the performance of the server was pretty stable with no noticalbe lag on the console (couldn't ssh as the T1's were all maxed).

    System specs are pretty normal, 1Ghz Athlon with 512MB RAM.

    --
    /* oops I accidentally made a comment, sorry */
    /* http://allyourbasearebelongto.us */
  7. Actually Windows Server 2003 SP0 has a firewall by amcdiarmid · · Score: 2, Interesting

    You can configure the network interface to filter ports: look up the commonly used IP ports and allow the ones you use only. (This is also in win2K, NT ...)

    The issue is that the unsecured computers in the labs need to connect to the servers, and viruses will use the network drives as a infection vector.

    1) Close all ports that are not going to be used with the included tools of Windows Server.
    2) Get an anti-virus package for the servers and set them to check every hour for updates.

  8. for all those who recommended m0n0wall... by capsteve · · Score: 2, Interesting

    the price for shushant's solution doesn't have to be free, and when building a dedicated firewall based on monowall, it might make sense to use a a few new and inexpensive parts.

    my first monowall used the rhine and intel chipset with less than stellar performance, but when i changed the ethernet cards to identical asante etherfast with the tulip chipset, my performance increased dramatically(sorry for the lack of any tech details, but the difference was "subjectively" noticable).

    if you go the route of using a CF card, do yourself a favor and load monowall on a couple of cards, 16-32 mb cards are dirt cheap. this way you can always experiment with later versions of the firmware, just by swapping cards out. on the otherhand, if you go the CD route, you can run without a harddrive(use floppy for xml configs).

    lastly, use a PII or PIII. prolly overkill for your scene, but the last thing you want is a firewall struggling with an anemic cpu.

    m0n0wall is definitely the *nix based firewall for the NT admin ;-)

    --
    three can keep a secret, if two are dead - benjamin franklin
  9. Re:OpenBSD, of course! by dTb · · Score: 2, Interesting

    Linux-HA fails firewalls just fine.
    Linux-HA will failover the IP address but it does not share state between the firewalls so has the potential to break long-running connections. OpenBSD can be configured to share the stateful inspection table using pfsync see here.