Slashdot Mirror
What is the Best Firewall for Servers?
Sushant Bhatia asks: "I maintain a bunch of servers (Win 2003/XP Pro) at our labs in the university. Of late, the number of attacks on the computers has been more noticeable. The university provides firewall software (Kerio) but that doesn't work with Win 2003 (works with XP). And so we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts :-). So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"
Ummm, OpenBSD of course! www.openbsd.org
a linux box.
ZERO
http://www.smoothwall.org/
That way, platform compatibility is a nonissue.
I use a dedicated PPro box running Coyote Linux myself, but there are far more robust solutions out there...
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
I'd say keep the firewall software off of your Server. Get a decent hardware one from Checkpoint.
Seriously, why put down $300 when the windows firewall will do?
Or get a $50 router and block all uncessary ports to give yourself and additional layer of security.
-- Binary Finary
You keep getting hit by zombie machines?
Liberal Arts zombies? Are you sure they're not dogs?
(And, as always, the best answer to your question may come from Google. Linux.com | A Linux firewall primer.)
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
$subj, the only true firewall :)
I've found that for 99% security, the best solution is to unplug the ethernet cable on my server and just use it locally (kind of defeats the point, huh?)
... stupid squirrels...
The missing 1% is for the ninja squirrels
We use FreeBSD with IPF, IPFW and some home-brewn tools in our main hosting centre. We have chosen name-brand hardware and free software - already having in-depth knowledge in-house, we had no need to buy a complete black-box solution.
Of course - investing in "fresh" knowledge on FreeBSD or whichever other platform you wish to roll your own firewall/ids solution on top of - is going to be expensive. Thus this solution might not work for all...
Love over Gold.
Just use iptables on a cheap old pentium or something. Two network cards, one inside and one outside. Even a modest Pentium or Pentium II could keep up with good amounts of traffic.
IP Cop. ;)
http://www.ipcop.org/
The firewall bundled with the service pack upgrade to Server 2003 isn't too bad, but it only does incoming connections. You can exempt ports or executables.
Also, it's free.*
*Well, you know what I mean.
Does it cost less than US$100? You can't be serious. Securing your machines is only worth $100? Is that how much it will cost to fix them once they are cracked? Give me a break. If you are serious about security you can invest more than $100.
You are approaching the problem from a wrong direction.
There are different types of firewalls and they can be divided into these types using different criteria. However, I will use the most simple one. There are host-based and network-based firewalls. Host-based firewalls, are not very cost-effective (or even effective at all) for protecting large, medium or even small server "farms". They work fine on single-server or home machines.
The proper way to protect server farms in campus is to have secure network. Firewalls are like city walls. They offer protection, but if breached, you're doomed. Secure network consists of firewalls, segmented network (separate VLAN's, switching blocks, etc.). Excellent reference for secure network design is Cisco's SAFE Blueprint for Enterprise Networks. I would recommend reading it, even though you're not using Cisco gear.
Marko.
running OpenBSD and pf. Include another cheap box and CARP if you need redundancy/failover.
Let's get drunk and delete production data!
I don't think you'll get flamed too bad. Its what I was going to suggest. I run iptables as I'm sure many others here do. Its simple, there's lots of open source tools to make management of those rules easier, and a basic install of Linux will run on some pretty lightweight machines. Heck, there's always the distros on a CD to make things even more secure, and by putting the rules on a floppy set to read_only makes for relatively simple updates to the rules if/when needed.
A good security system is to have a multi-layered security system.
It's free.
Only port forward what ports you absolutely need and keep your servers out in the DMZ. IPcop will easily allow you to seperate your network into zones with multiple nics and will likely only take a 486 or Pentium class machine to keep up with your bandwith. Hey, you asked for cheap. Doesn't get much cheaper than that.
You can also keep detailed logs and it also features a good SNORT setup for NIDS. It sets up convieniently with a web browser.
There is also Smoothwall. Both are really Linux based software firewalls. The difference is that IPCop is totally free and supports a wide variety of features that you would likely have to pay for in Smoothwall. Updating NIDS signatures automatically comes to mind.
I would personally avoid Windows software firewalls like the plague, as they run at escalated priveledges and can potentially put your system at even more risk as they add to the number of possible vulnerabilities, but that is just me.
If you can't afford a PIX or something in hardware, FreeBSD and Linux software firewalls are always the best way to go IMHO.
Happy hacking!
zosxavius photography
Ceramic wafers with asbestos stuffing...
Some settling may occur during posting.
For the linux machines, have a peek at firestarter (www.fs-security.com). It's easy to configure, has a nice GUI, and provides a reasonably simple method of configuring IPTables.
If your requirements are a little more complex (eg: DMZs, VPNs, etc.), you might want to have a peek at firehol instead. Text-based configuration, but greatly simplifies the process of wrangling with iptables.
I tend to recommend zonealarm for windows for most people, but that's more out of apathy (ie: I haven't reviewed the options lately) than anything else.
Red.
I'd suggest ditching a software firewall and investing in a proper hardware firewall such as Checkpoint FW1 and put all the servers behind that firewall.
Put another firewall ideally of a different type (break one you've still got another to break) and use that to isolate all the departmental computers...
Ensure the policies are locked down tight and that any changes are approved by someone who knows what they're about before being implemented.
--- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
Are you sure you are human?
When its liberal arts machines getting infected, I've found the BEST firewall to be a pair of wire cutters. NOTHING gets through after the skilled use of these babies.
Kerio *does* make an excellent firewall product for Windows servers (Kerio Server Firewall). It is pricey, however, and for the same or less money you could install a Smoothwall box.
You've still got to buy the box.
A $25 surplus P-II should suffice. I've been running an OpenBSD/PF firewall at home for ages now and the system load has never gone above 0%.
Download W2K3 Service Pack 1 from Microsoft, they have the same firewall as XPSP2 plus some bonus features.
There's a "Security Configuration Wizard" that will help you config the firewall and services at a more advanced level than in XPSP2
During my career in network security, there has never been a software based firewall I couldn't compromise. I had the unfortunate task of reverse engineering the competition (firewalls).
There are so many problems in the basic network stack (in Windows) that a hardware firewall is your only realistic alternative. With hardware, you only have to worry about your open ports.
Anything basic will do. Investing in a Cisco PIX is usually a waste of money. I've tunneled a remote shell through port 80 using IIS, making an $80k PIX worthless. Exploits are generally simple, so fragment reconstruction is unnecessary.
With Windows, the mantra "good enough" rules. All of the packet filtering in the world won't save your server. The best thing you can do is attach a $50 LinkSys firewall and be done with it. Keep a copy of Ghost handy for when it gets compromised.
Add wwo network cards
Add free Linux 2.4 distribution or higher
Activate netfilter and iptable
See: ttp://www.netfilter.org/
Deploy firewall using instructions in the netfilter how-tos:
See: http://www.netfilter.org/documentation/
Or, if that's too much for you, just get the equipment and add one of the pre-configured firewall Linuxes like SmoothWall (http://www.smoothwall.org/), Devil-Linux (http://www.devil-linux.org/home/index.php) or Coyote Linux (http://www.coyotelinux.com/).
No fuss, no muss.
Steven
I've been running an OpenBSD/PF firewall at home for ages now and the system load has never gone above 0%.
:)
Have you tried plugging it in?
I second IPCop. I use it for a group of about 50 users, and I've got an uptime of almost a year. The things I like about IPCop: - It works. Well. - Free! - Lean. It doesn't have a whole lot of nonsense that you don't need. - Comes with a nice web interface. - Handles aliasing fine. That way you can have more than one IP address per physical interface. - Has a healthy support community. - Runs on a lot of hardware. I've actually got two ipcop boxes, identically configured. That way if one ever dies, I just turn the other one on and in two minutes I'm up and running again. Of course, this would add yet another single point of failure for your servers, but there's only so much you can do with $100...
I've used smoothwall for a while and I was very satisfied with it. But at some moment, it stopped working. The ADSL connection couldn't be established anymore.
While I think it was rather a hard disk crash and not a direct smoothwall problem, it made me feel like replacing my smoothwall with ipcop, another firewall dedicated linux distro (forked from smoothwall).
I'm very happy with ipcop at the moment, it's a bit more "customizable" than smoothwall. I know both are GPL'ed so they can both be customized to fit any purpose, but as ipcop is a 100% community-based distro, it is a bit more designed to be tweaked than smoothwall.
Check out IPCOP site
that was me.
For anybody that's wondering what the answer is, assuming your proliant has 256mb then this is what you need :
mem=exactmap mem=640k@0M mem=255M@1M
This is precisely the correct answer. Not iptables/smoothwall/shorewall/other_*nix_box_inbet ween answer. Read the question folks, supply the simplest effective answer, preferrably using the tools that come with the operating system.
Read the submission. He's looking for a solution that is below $100. I'm willing to bet his time does have zero value. I'm thinking student worker who is going to be getting hours even if he has nothing to do, so yeah, his time is basically of no value.
I hate grammar Nazi's.
For Windows? A seamless, 3' thick rebar-reinforced cement vault is preferential. It's easiest to add the machine prior to pouring the cement, I've found.
But with zombies in general, I prefer a more proactive approach: a 12 gauge shotgun loaded with 00 buck does nicely.
Seriously though. Every Windows machine should be behind an entirely seperate firewall, protecting it from everything and everything from it. A Windows machine on a public network that isn't being agressively administered is about as safe as a polish handgun.
By the description of your environment and problem, it sounds like you basically want to quarantine the humanities from the rest of campus so they don't wreak their plague of stupidity upon everyone else (this is good policy in general, I've found - humanities aren't fond of reasoned, concrete thought).
Probably the best way to do that would be to set up an IDS gateway between their networks and the rest of campus. Something from CISCO would probably be best, but I'm fairly certain you could do it with linux/BSD or another COTS solution for decreased price. Have the IDS set up to basically drop all trafic from zombied machines. When they complain to you that "their" network isn't working and that it's your fault, give them the ISP treatment: fix your machine and we'll let you back on.
Really, allowing humanities types to manage their own hardware is just a receipe for disaster. Would you let your accountant work on your car? It's not adviseable, and would likely cost you more than not having repair done at all and waiting for further problems.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Joking aside, I remember reading that pf's performance actually increases with stateful filtering vs. stateless filtering because looking up an entry in a state table is much faster than walking the ruleset for each packet. I also read that there is virtually no performance loss even with thousands of states.
Does anyone else remember the warez newbies crying that their off-the-shelf blackbox router crashes if their P2P app opens too many connections? Now you may laugh.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
PS: that was the link I missed: http://kerneltrap.org/node/477
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
I have an OpenBSD router here at work that I built, and I will vouch for it's performance. We have been hit by Drudge and /. a few times, and even though none of the websites or mail servers would work I was able to poke around in the firewall with no noticable lag. We had over 10,000 ACTIVE states in the table, and the performance of the server was pretty stable with no noticalbe lag on the console (couldn't ssh as the T1's were all maxed).
System specs are pretty normal, 1Ghz Athlon with 512MB RAM.
/* oops I accidentally made a comment, sorry */
I can't speak for the linux side of things, but here's my comments for Windows.
Note that while this is easier to manage with Group Policy via Active Directory, you can use the local group policy settings and migrate them across your lab. My thoughts on this are valid for XP and 2003.
The internal firewall is your first defense, blocking all non permitted inbound random/unimportant information from reaching your machines. Tell the firewall the applications you will be using, and it will dynamically open required ports as the program needs them. This way you don't need to deal with local port management. You want this setup to prevent traffic from reaching IPsec, and for any logging purposes you may have. IPsec's current version doesn't really do packet logging, and is in no way a firewall (Although, I used it for years as a firewall with Windows 2000 and never had any ill-received problems, but they were not on critical systems either).
Use IPsec in pure authentication mode without encryption (unless you have encryption offload cards). You can use it in several ways.
All communication requires authentication:
No computer can talk to yours that is not setup properly. Period.
All inbound communication requires authentication:
All inbound traffic must authenticate or be dropped.
If you lock inbound, but not outbound, your clients can still access web resources and any other computer without issue, but you have completely prevented anyone else from initiating communication with your systems.
IPsec works like this: Generic rules (require authentication from everyone) are over-ridden by a more explicit rule (do not require authentication from whatever.system.local). Generic all IP rules are over-ridden by port rules, port rules are over-ridden by explicit IP address rules or subnet rules. Etc.
For your purpose, I would at least require all inbound traffic to require authentication by String, however this is not secure and anyone with administrator access can rip the password out of the registry. To do it securely, you need to do it by certificate or Kerberos. The kerberos implementation will require active directory, the certificate method will require a full IKE/PKI configured for your area. You do not need to buy a certificate from a place like verisign, you can do it all yourself through your own self-signed certificates. This entire process with IPsec can be automated through Active Directory, but if you don't have active directory, I believe any generic IKE/PKI server can generate valid certificates for your use. It's a lot less work on your part doing it through active directory.
IPsec policies will work between Windows 2000, XP, and 2003, however your key strength is limited based on the oldest OS you use. 2000 will only function with low keys, XP with both low and medium, and 2003 with strong keys and the two weaker keys. Also, you can set it up from strongest key generation to weakest, so 2003 will always talk to 2003 in strong, 2003 to XP in medium, 2003 to 2000 in weak. It may be possible to make IPsec work side-by-side with Linux using Freeswan, or whatever project replaced it, however I never used that program.
One last thing, if your systems are used by untrusted users, considers how possible it is to use the software restrictions built into Windows. Once that is activated and configured well, it becomes very difficult for a local user to run non-authorized software without sitting at the machine and taking it over first. Refer to rules regarding Software Restriction Policies for this.
K.
Why? Because everyone is out trying to hack Linux and Windows machines, they seem to leave the FreeBSD machines alone, maybe because they don't know what to do with them. Or at least there seems to be less people hacking FreeBSD. Most likely its just less press about it. NetBSD or OpenBSD would also probably work as well.
I run my firewall off a custom hacked FreeBSD CDROM. While this makes updates more difficult, it makes replaceing files near impossible. Hackers can't replace /bin/ls unless they mount /bin as a memory filesystem, in which cause they now have to replace df, mount and several other programs. You really only need /var and /tmp as memory filesystems, and maybe some parts of /etc or the whole /etc.
It has no hard drive so if the power cycles, it just reboots and its all fine and dandy. I have a seperate machine that I can do builds on and updates. I have trimmed it down to a 64 Megs CD and that includes perl, sshd, apache, dhcpd, and bind9.
You could do this with Linux as well. I haven't heard of anyone creating a Windows bootable CDROM firewall. Mac needs special hardware, and I'm not that familar with Mac, but you could probably create a Mac firewall on cd as well.
If you think its been hacked, reboot and the hackers have to try again :-)
There are also commercial hardware firewalls. Some are cheap, like the Netgear, dlink, and Linksys, but some of the better ones are in the $500 plus range.
Only 'flamers' flame!
Does slashdot hate my posts?
My firewall is a Pentium (non-MMX) 200 with 32 Megs of RAM and 1.2 Gigs of HD and two $5 NICs (remember, unless you're dealing with a really high bandwidth pipe, a 100 Mb/s NIC should be plenty). You could probably grab one of those from a local surplus dealer or eBay for less than $50. Then set up Linux (whatever distro you feel you could deal with except Linspire). I use Redhat myself. :) Do a minimal install but remember to keep devel tools on so you can compile all of your own custom stuff. Spend a few days removing all unneeded commands/services, recompiling the kernel for serial console (so you can ditch ssh and/or telnet), iptables support, etc... Set up your inside and outside interfaces. Put on Snort, Portsentry, what have you for security and auditing. Plug it inline and away you go. I've been running with the same exact config since 2001. The only thing I've had to do is rebuild the kernel a few times due to exploits. Also upgrading portsentry from time to time, or snort. So far no one has hacked my network and I'm aware of every packet that enters or exits it. There is nothing outside except for the one NIC on that box. Cheap, simple, efficient.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
There's obviously a lot of evangelism going on here, I can't even get involved in discussions of using old PCs as firewalls to protect valuable network resources, other than to say I've worked for many corporations over the years and I haven't yet worked for one that ran a production network using old PCs as routers and firewalls.
Anyway, if one is asking what *I* use, at home it's the perfectly usable firewall capabilities built-in to my network router, plus I still run BlackIce on my systems. (Yes, I know, BlackIce is far from perfect, and it annoys me sometimes, but it does what a lot of other commercial software firewalls don't do, it *tells me* when it sees questionable activity.)
For work, if I really didn't trust my LAN, I'd probably do something similar, hardware router acting as a firewall protecting my systems collectively, with additional software firewalls on my critical servers for a little overkill. The one Microsoft offers now would probably be sufficient, and at least won't dent the $100 budget mentioned.
A good quality anti-virus software should always be running on any windows server too, of course. One configured to get updated a/v definitions at least once a day.
They're different. One is saying "I run the infrastructure, and I don't care if I get in the way of you doing your job." (To which the answer is "Hell, director of computer services? Please reprimand or fire
One exception to this is Coyote Linux. Not only does it not have the usual services enabled by default, nearly all of them have been stripped out. It includes just the components (such as iptables) that serve the central function of safely connecting a LAN to the Internet. And because it's so minimal, it fits on a floppy and runs on a 386 with 12MB RAM. It's no substitute for a full-featured Cisco Pix (for that you'd have to look at Coyote's big brother Wolverine), but it's worked great for me for years, both at home and in a couple offices I've worked at.
http://alternatives.rzero.com/
Trivium: logic, rhetoric, and grammar
Quadrivium: arithmetic, astronomy, geometry, and music.
So math has two of the liberal arts.
Take a pair of bolt cutters to the network cable.
---
Or the Aliens option: "Bug out, nuke the site from orbit. Only way to be sure"
You can configure the network interface to filter ports: look up the commonly used IP ports and allow the ones you use only. (This is also in win2K, NT ...)
The issue is that the unsecured computers in the labs need to connect to the servers, and viruses will use the network drives as a infection vector.
1) Close all ports that are not going to be used with the included tools of Windows Server.
2) Get an anti-virus package for the servers and set them to check every hour for updates.
Not really, and the cost of taking a PC you already have and turning it into a Linux-based firewall is zero.
Steven
the price for shushant's solution doesn't have to be free, and when building a dedicated firewall based on monowall, it might make sense to use a a few new and inexpensive parts.
;-)
my first monowall used the rhine and intel chipset with less than stellar performance, but when i changed the ethernet cards to identical asante etherfast with the tulip chipset, my performance increased dramatically(sorry for the lack of any tech details, but the difference was "subjectively" noticable).
if you go the route of using a CF card, do yourself a favor and load monowall on a couple of cards, 16-32 mb cards are dirt cheap. this way you can always experiment with later versions of the firmware, just by swapping cards out. on the otherhand, if you go the CD route, you can run without a harddrive(use floppy for xml configs).
lastly, use a PII or PIII. prolly overkill for your scene, but the last thing you want is a firewall struggling with an anemic cpu.
m0n0wall is definitely the *nix based firewall for the NT admin
three can keep a secret, if two are dead - benjamin franklin
Look, the OS really doesn't matter. What does matter is getting your employers to not do stupid things, like run their laptops without security patches and insist on running NFS and file sharing from home and on every machine in your group, getting them to pick decent passwords, teaching people never to use .zip attachments for anything, never running passphraseless accounts and open access points, etc., etc., etc.
Until you can get basic security steps like those in place, the world's best firewall is like a really big lock on a 3 foot high fence. Even the most casual crackers will simply step over it.
It is unattackable with packets addressed to it (because it has no address). It is still attackable by malformed packets traversing it. To work as filter it has to scan the packets, and if this packet scan can malfunction on special packets, there is a possible attack to the packet filter.
Geez, I thought the only way to keep a windows system completely secure was to leave it off....
"It is a good divine that follows his own instructions" - Portia, The Merchant of Venice
Most of what you say makes some sense. The glaring problem is:
3.) Tcp/IP filtering @ the IP Stack levels (UDP & TCP) allowing ONLY port 80.
Could you please explain how things like DNS(pretty well required for surfing), HTTPS (port 443), FTP, SSH and several other services would work?
If VISTA is the answer, you didn't understand the question
Right, its called "defense in depth". So he really should use the builtin firewall on each of the Fisher Price OS servers and workstations.
I'm sorry you feel that running an OS is some kind of machismo thing. Would you like some stubble glitter for Christmas? I despise OS bigots. They're unprofessional, bullheaded and usually wrong.
On the other hand, anyone using a windows-based firewall as a perimeter defense is a complete moron. You either use some firewall-in-a-box, and for bigger networks, you use some *BSD or Linux.
Nobody said to load Windows Firewall and let it sit. Remember the constraints this guy has- he needs to to work for $100 or less. So he gets a firewall for free that is application-aware. Cool. Now he has host based firewalls and he still has his $100. Hell, he could go to Best Buy, pick up a router for $40, and take his Significant Other out to dinner.