What is the Best Firewall for Servers?

Sushant Bhatia asks: "I maintain a bunch of servers (Win 2003/XP Pro) at our labs in the university. Of late, the number of attacks on the computers has been more noticeable. The university provides firewall software (Kerio) but that doesn't work with Win 2003 (works with XP). And so we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts :-). So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"

OpenBSD, of course!

Ummm, OpenBSD of course! www.openbsd.org

Re:OpenBSD, of course!

[urlgrey]

Kidding aside, OpenBSD is my choice, but any used PIII 'nix machine, be it:

OpenBSD with PF,

FreeBSD with either PF IPFW,

pretty much any Unix variant OS with IPFilter,

Linux with IPTables

will do the job swimmingly.

Re:OpenBSD, of course!

[Guspaz]

They seem to be referring to software to put on existing servers. It would be hard to build a decent OpenBSD machine for under $100 US.

Of course if they DID want additional hardware, the absolute cheapest general-purpose linux box is the Linksys WRT54G. At least, it becomes a general purpose box as soon as you throw OpenWRT on it. Just set up the iptables rules however you like. You may want to disable the wireless functionality.

I've seen the WRT54G selling for as little as $50 CDN, which is probably about $40 US. It doesn't get much cheaper than that for a linux box.

Still, I think he meant more software-wise.

Re:OpenBSD, of course!

[squidfood]

They seem to be referring to software to put on existing servers. It would be hard to build a decent OpenBSD machine for under $100 US.

It was $30+OpenBSD donation for me. That was the cost government surplus PIII-450s with enough RAM and HD space for moderate use. It would be a rare university that didn't have machines like that lying around.

Re:OpenBSD, of course!

[leonmergen]

So, why don't you make your OpenBSD a firewalled (and possibly ip-less) bridge ? That way, attackers have no way of knowing that there's a firewalled bridge between them and the HTTP server, and packets still get filtered... just disallow any outside connections to your bridge-server and you're safe.

Make sure you set your webserver to only allow to respond to accepting connections, not initiate new connections.

Re:OpenBSD, of course!

[Shanep]

I also have to agree.

* DMZ: Put your servers into appropriately configured DMZ's using a seperate OpenBSD host as the firewall. Lock it down so that only traffic which you specifically allow can get through.

* PATCH: Keep your Windows servers patched.

* FILTER: Doesn't Windows 2003 have a built in packet filter? If so, use it!

* HARDEN the Windows servers. Remove every service which they don't *need* to be running.

* REPLACE any Windows servers that you can, with more secure options.

* BACKUPS: Keep good regular backups so that it will be less hassle for you to restore from them and patch, should they be compromised. The longer between backups, the harder your job will be to fix the problem because you might find the losses of restoring an old backup hurt more than the actual compromise itself. You'll be checking what is newer and working hard to make sure that the newer files are not infected with trojans, worms, viruses, etc.

* DON'T DEPLOY: If you can get away with it, don't give people a solution if the only solution is an insecure one. You may find that you provide a solution which people suddenly "can't live without" but is either uneconomical to keep secure or impossible to keep secure. It is better to not give people a taste of that solution at all. Especially since they worked just fine without it up until now and *you* know that they don't *need* it.

* SOE: Develop standard operating environment's for the desktops, lock them down and enforce IT usage policies. Do the desktops need to share data amongst themselves peer-to-peer? Having worked in edu for years, I would imagine not on the whole, so apply a firewall to the SOE itself which will fit within your network configuration. A smaller department server you will be able to take ownership of and control if they want to share amongst themselves and this takes the tinker factor away from the end users and removes their excuse for admin rights for that task. You can also make it so that any damage or network congestion they cause, can be limited to their department. You do it this way for them because "you can easily backup a central server" and upper management will agree with you on that from a risk point of view. If all your desktops, servers and network are as secure as you can make them and you have polices people must adhere to, then you will have much less problems.

What you will also find is that you will get to a stage where instead of putting out fires all the time, you will be constantly improving your systems and making IT better instead of always trying to make IT work. You will also find that problems start to settle with the real problem staff and you will then be able to manage them and point to the polices.

Re:OpenBSD, of course!

[InvalidError]

Why would the power bill go down?
P1 = 10-20W
P2 = 15-35W
P3 = 25-45W
P4 = 35-165W

Chipset and RAM power also increases across generations so a few more watts need to be added to each upgrade... and another extra in the 10-20% range for the extra VRM and PSU losses. (PWM regulator technology and components have not changed much over the last 10 years)

But yes, having a faster CPU/RAM does make a substantial difference in firewall responsiveness and throughput. When I upgraded my router from 100MHz to 200MHz, loopback throughput roughly tripled - from 660KB/s to 2.3MB/s. (On top of being slower, a slow chip also spends more of its time processing interrupts and background stuff, leaving less time for 'useful' work, double-hit. Seems like the 100MHz chip in this case was wasting something like half of its time on house-keeping stuff.)

2.3MB/s might not seem like much but I am not expecting local ISPs to offer >20Mbps (combined up+down) for another ~10 years... at least not under CAN$50/month.

at the risk of getting flamed into submission...

[gik]

a linux box.

Smoothwall

http://www.smoothwall.org/

Use a *separate* firewall box.

[Richard+Steiner]

That way, platform compatibility is a nonissue.

I use a dedicated PPro box running Coyote Linux myself, but there are far more robust solutions out there...

Is this a joke?

[AEton]

You keep getting hit by zombie machines?

Liberal Arts zombies? Are you sure they're not dogs?

(And, as always, the best answer to your question may come from Google. Linux.com | A Linux firewall primer.)

A cheap linux firewall

[Suicyco]

Just use iptables on a cheap old pentium or something. Two network cards, one inside and one outside. Even a modest Pentium or Pentium II could keep up with good amounts of traffic.

Re:A cheap linux firewall

[hawkbug]

I hear this argument a lot, and you're right - it would work... but here's the thing - If you put a pentium I computer with a 2 gig hd or something up in front of an entire lab for internet access, I would wonder about the reliability. What I mean is, at work here I was doing something similar - but when the non-rendundant power supply in the 1995 based computer died, my entire part of the office lost net access, which is bad.

There is always something to be said about having a real server act as a firewall. For home use, sure, use an old computer running linux - but for anything that you would like to count on a reliable, get a real piece of hardware to put that linux distro on, and you'll be happier.

Re:A cheap linux firewall

[owlstead]

Use a floppy or CD based installation. Leave that hard disk out. When that's on, there are no moving parts at work, except for the fan(s), which should be able to run for a few years. Otherwise, buy a cheap fanless VIA epia board with 2 ethernet connections and boot it up from a flash drive. Works like a charm, and 533 or 600 MHz is actually overkill. Great as a small web server/ssh access. And it's easy to setup with a printer or an external HDD to share stuff on your network.

But it seems that the poster can get way with using a simple router box with multiple LAN ports as well (or 1 LAN and 1 WAN port might even work).

Two Words...

[Jsutton1027w]

IP Cop. ;) http://www.ipcop.org/

Does it cost less than US$100?

[dancedance]

Does it cost less than US$100? You can't be serious. Securing your machines is only worth $100? Is that how much it will cost to fix them once they are cracked? Give me a break. If you are serious about security you can invest more than $100.

Re:Does it cost less than US$100?

[MrResistor]

Did you miss the part about how he works for a school? He has to get the money before it can be invested, and $100 might be the limit above which he has to get the approval of 3 PHBs and 6 beancounters.

Or maybe you missed the part about how the attacks are coming from other departments, over which he has no authority, and who obviously don't place a high value on security?

Re:Does it cost less than US$100?

[DNS-and-BIND]

There are these mystical things called "budgets". The "budget" will provide for some things and not others.

This *is* at a university. Universities are well-known for being completely isolated from the rest of society, and as a result, they have some pretty weird ideas. One of which is not spending any money on computer security.

Re:Does it cost less than US$100?

[riptide_dot]

"You can't be serious. Securing your machines is only worth $100?

Keep in mind that the OP works for a university, which probably doesn't have a budget outside of what they already spent on their software firewall. It doesn't mean that security isn't important to him, just that there's probably not an existing budget for it.

The OP is looking for a cheap and innovative way to secure his university network's servers - and I can't think of a better place to ask the question than here.

I say let the FOSS community answer his question and provide him a solution to his unique problem in the way that they know best and leave the "isn't this worth more than $XXX?" questions to the salesman.

Wrong Approach

[markom]

You are approaching the problem from a wrong direction.

There are different types of firewalls and they can be divided into these types using different criteria. However, I will use the most simple one. There are host-based and network-based firewalls. Host-based firewalls, are not very cost-effective (or even effective at all) for protecting large, medium or even small server "farms". They work fine on single-server or home machines.

The proper way to protect server farms in campus is to have secure network. Firewalls are like city walls. They offer protection, but if breached, you're doomed. Secure network consists of firewalls, segmented network (separate VLAN's, switching blocks, etc.). Excellent reference for secure network design is Cisco's SAFE Blueprint for Enterprise Networks. I would recommend reading it, even though you're not using Cisco gear.

Marko.

Re:at the risk of getting flamed into submission..

[Nos.]

I don't think you'll get flamed too bad. Its what I was going to suggest. I run iptables as I'm sure many others here do. Its simple, there's lots of open source tools to make management of those rules easier, and a basic install of Linux will run on some pretty lightweight machines. Heck, there's always the distros on a CD to make things even more secure, and by putting the rules on a floppy set to read_only makes for relatively simple updates to the rules if/when needed.

IPCop

[ZosX]

It's free.

Only port forward what ports you absolutely need and keep your servers out in the DMZ. IPcop will easily allow you to seperate your network into zones with multiple nics and will likely only take a 486 or Pentium class machine to keep up with your bandwith. Hey, you asked for cheap. Doesn't get much cheaper than that.

You can also keep detailed logs and it also features a good SNORT setup for NIDS. It sets up convieniently with a web browser.

There is also Smoothwall. Both are really Linux based software firewalls. The difference is that IPCop is totally free and supports a wide variety of features that you would likely have to pay for in Smoothwall. Updating NIDS signatures automatically comes to mind.

I would personally avoid Windows software firewalls like the plague, as they run at escalated priveledges and can potentially put your system at even more risk as they add to the number of possible vulnerabilities, but that is just me.

If you can't afford a PIX or something in hardware, FreeBSD and Linux software firewalls are always the best way to go IMHO.

Happy hacking!

Decent firewall

[NotFamous]

Ceramic wafers with asbestos stuffing...

OT: Captchas

[interweb]

slightly off topic but does anyone else have trouble reading those annoying "confirmation your not a script images"? The one I am looking at right now is nearly impossible to read.

Are you sure you are human?

Re:at the risk of getting flamed into submission..

[Ooblek]

When its liberal arts machines getting infected, I've found the BEST firewall to be a pair of wire cutters. NOTHING gets through after the skilled use of these babies.

Windows Server 2003 SERVICE PACK 1 has a firewall

[DJStealth]

Download W2K3 Service Pack 1 from Microsoft, they have the same firewall as XPSP2 plus some bonus features.

There's a "Security Configuration Wizard" that will help you config the firewall and services at a more advanced level than in XPSP2

Take One Old PC

[sjvn]

Add wwo network cards
Add free Linux 2.4 distribution or higher
Activate netfilter and iptable
See: ttp://www.netfilter.org/
Deploy firewall using instructions in the netfilter how-tos:
See: http://www.netfilter.org/documentation/

Or, if that's too much for you, just get the equipment and add one of the pre-configured firewall Linuxes like SmoothWall (http://www.smoothwall.org/), Devil-Linux (http://www.devil-linux.org/home/index.php) or Coyote Linux (http://www.coyotelinux.com/).

No fuss, no muss.

Steven

Re:at the risk of getting flamed into submission..

[xstonedogx]

I've been running an OpenBSD/PF firewall at home for ages now and the system load has never gone above 0%.

Have you tried plugging it in?

:)

Re:IPCop

[ill_conditioned]

I second IPCop. I use it for a group of about 50 users, and I've got an uptime of almost a year. The things I like about IPCop: - It works. Well. - Free! - Lean. It doesn't have a whole lot of nonsense that you don't need. - Comes with a nice web interface. - Handles aliasing fine. That way you can have more than one IP address per physical interface. - Has a healthy support community. - Runs on a lot of hardware. I've actually got two ipcop boxes, identically configured. That way if one ever dies, I just turn the other one on and in two minutes I'm up and running again. Of course, this would add yet another single point of failure for your servers, but there's only so much you can do with $100...

Also IPCOP

[lord_rob+the+only+on]

I've used smoothwall for a while and I was very satisfied with it. But at some moment, it stopped working. The ADSL connection couldn't be established anymore.

While I think it was rather a hard disk crash and not a direct smoothwall problem, it made me feel like replacing my smoothwall with ipcop, another firewall dedicated linux distro (forked from smoothwall).

I'm very happy with ipcop at the moment, it's a bit more "customizable" than smoothwall. I know both are GPL'ed so they can both be customized to fit any purpose, but as ipcop is a 100% community-based distro, it is a bit more designed to be tweaked than smoothwall.

Check out IPCOP site

Re:Also IPCOP

[crabpeople]

"I've used smoothwall for a while and I was very satisfied with it. But at some moment, it stopped working. The ADSL connection couldn't be established anymore."

Actually the same thing happened to me. Well sort of the same (my connection uses DHCP). My problem was that the webpage configuration never came up. I finaly figured out that this was because my 100mb /var/log was full!

Clearing that out made the smoothy run fine again. It has since happened a few more times and everytime i just have to clear out all the logs. That said, while the disk was full, it was still routing traffic as expected for months before i discovered the issue.

The one thing I would like to see would be a better way of tracking all the connections being setup and torn down by the machine, realtime, say logging to a console window. I used to have a dubbele NETBSD firewall ( http://firewall.dubbele.com/ ) that, becasue of the firewall package on there (vastly superior to iptables IMHO) i could run a simple command (ipmon -o N) and it would list everything going on. very cool. I know about IP contrak mod for smoothwall but on a webpage just doesnt have the same cool feel as realtime. Its nice to catch all those EA games you have calling home when you launch them :)

Anyways the one story i love to tell about the netbsd machine was that the hard drive failed on it months before i found out. The machine was running flawlessly until i rebooted it for some reason and got a nice primary HDD fail in the bios. The last timestamp for a file on the HDD was like 8 months previous.

hahahaha

[mnemonic_]

that was me.

Preferentially?

[CAIMLAS]

For Windows? A seamless, 3' thick rebar-reinforced cement vault is preferential. It's easiest to add the machine prior to pouring the cement, I've found.

But with zombies in general, I prefer a more proactive approach: a 12 gauge shotgun loaded with 00 buck does nicely.

Seriously though. Every Windows machine should be behind an entirely seperate firewall, protecting it from everything and everything from it. A Windows machine on a public network that isn't being agressively administered is about as safe as a polish handgun.

By the description of your environment and problem, it sounds like you basically want to quarantine the humanities from the rest of campus so they don't wreak their plague of stupidity upon everyone else (this is good policy in general, I've found - humanities aren't fond of reasoned, concrete thought).

Probably the best way to do that would be to set up an IDS gateway between their networks and the rest of campus. Something from CISCO would probably be best, but I'm fairly certain you could do it with linux/BSD or another COTS solution for decreased price. Have the IDS set up to basically drop all trafic from zombied machines. When they complain to you that "their" network isn't working and that it's your fault, give them the ISP treatment: fix your machine and we'll let you back on.

Really, allowing humanities types to manage their own hardware is just a receipe for disaster. Would you let your accountant work on your car? It's not adviseable, and would likely cost you more than not having repair done at all and waiting for further problems.

Re:at the risk of getting flamed into submission..

[TCM]

Joking aside, I remember reading that pf's performance actually increases with stateful filtering vs. stateless filtering because looking up an entry in a state table is much faster than walking the ruleset for each packet. I also read that there is virtually no performance loss even with thousands of states.

Does anyone else remember the warez newbies crying that their off-the-shelf blackbox router crashes if their P2P app opens too many connections? Now you may laugh.

Re:at the risk of getting flamed into submission..

[nocomment]

I have an OpenBSD router here at work that I built, and I will vouch for it's performance. We have been hit by Drudge and /. a few times, and even though none of the websites or mail servers would work I was able to poke around in the firewall with no noticable lag. We had over 10,000 ACTIVE states in the table, and the performance of the server was pretty stable with no noticalbe lag on the console (couldn't ssh as the T1's were all maxed).

System specs are pretty normal, 1Ghz Athlon with 512MB RAM.

Windows Firewall and IPsec

[Kaedrin]

I can't speak for the linux side of things, but here's my comments for Windows.

Note that while this is easier to manage with Group Policy via Active Directory, you can use the local group policy settings and migrate them across your lab. My thoughts on this are valid for XP and 2003.

The internal firewall is your first defense, blocking all non permitted inbound random/unimportant information from reaching your machines. Tell the firewall the applications you will be using, and it will dynamically open required ports as the program needs them. This way you don't need to deal with local port management. You want this setup to prevent traffic from reaching IPsec, and for any logging purposes you may have. IPsec's current version doesn't really do packet logging, and is in no way a firewall (Although, I used it for years as a firewall with Windows 2000 and never had any ill-received problems, but they were not on critical systems either).

Use IPsec in pure authentication mode without encryption (unless you have encryption offload cards). You can use it in several ways.

All communication requires authentication:
No computer can talk to yours that is not setup properly. Period.

All inbound communication requires authentication:
All inbound traffic must authenticate or be dropped.

If you lock inbound, but not outbound, your clients can still access web resources and any other computer without issue, but you have completely prevented anyone else from initiating communication with your systems.

IPsec works like this: Generic rules (require authentication from everyone) are over-ridden by a more explicit rule (do not require authentication from whatever.system.local). Generic all IP rules are over-ridden by port rules, port rules are over-ridden by explicit IP address rules or subnet rules. Etc.

For your purpose, I would at least require all inbound traffic to require authentication by String, however this is not secure and anyone with administrator access can rip the password out of the registry. To do it securely, you need to do it by certificate or Kerberos. The kerberos implementation will require active directory, the certificate method will require a full IKE/PKI configured for your area. You do not need to buy a certificate from a place like verisign, you can do it all yourself through your own self-signed certificates. This entire process with IPsec can be automated through Active Directory, but if you don't have active directory, I believe any generic IKE/PKI server can generate valid certificates for your use. It's a lot less work on your part doing it through active directory.

IPsec policies will work between Windows 2000, XP, and 2003, however your key strength is limited based on the oldest OS you use. 2000 will only function with low keys, XP with both low and medium, and 2003 with strong keys and the two weaker keys. Also, you can set it up from strongest key generation to weakest, so 2003 will always talk to 2003 in strong, 2003 to XP in medium, 2003 to 2000 in weak. It may be possible to make IPsec work side-by-side with Linux using Freeswan, or whatever project replaced it, however I never used that program.

One last thing, if your systems are used by untrusted users, considers how possible it is to use the software restrictions built into Windows. Once that is activated and configured well, it becomes very difficult for a local user to run non-authorized software without sitting at the machine and taking it over first. Refer to rules regarding Software Restriction Policies for this.

K.

Coyote Linux, of course!

[tverbeek]

any default install, especially linux, will have all kinds of other things installed.

One exception to this is Coyote Linux. Not only does it not have the usual services enabled by default, nearly all of them have been stripped out. It includes just the components (such as iptables) that serve the central function of safely connecting a LAN to the Internet. And because it's so minimal, it fits on a floppy and runs on a 386 with 12MB RAM. It's no substitute for a full-featured Cisco Pix (for that you'd have to look at Coyote's big brother Wolverine), but it's worked great for me for years, both at home and in a couple offices I've worked at.

Pedantry

[colinrichardday]

Trivium: logic, rhetoric, and grammar

Quadrivium: arithmetic, astronomy, geometry, and music.

So math has two of the liberal arts.

To secure your windows server

[cybergremlin]

Take a pair of bolt cutters to the network cable.
---
Or the Aliens option: "Bug out, nuke the site from orbit. Only way to be sure"

Re:If you're going to ip-less bridge...

[Sique]

It is unattackable with packets addressed to it (because it has no address). It is still attackable by malformed packets traversing it. To work as filter it has to scan the packets, and if this packet scan can malfunction on special packets, there is a possible attack to the packet filter.