What is the Best Firewall for Servers?

Sushant Bhatia asks: "I maintain a bunch of servers (Win 2003/XP Pro) at our labs in the university. Of late, the number of attacks on the computers has been more noticeable. The university provides firewall software (Kerio) but that doesn't work with Win 2003 (works with XP). And so we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts :-). So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"

OpenBSD, of course!

Ummm, OpenBSD of course! www.openbsd.org

Re:OpenBSD, of course!

[urlgrey]

Kidding aside, OpenBSD is my choice, but any used PIII 'nix machine, be it:

OpenBSD with PF,

FreeBSD with either PF IPFW,

pretty much any Unix variant OS with IPFilter,

Linux with IPTables

will do the job swimmingly.

Re:OpenBSD, of course!

[Shanep]

I also have to agree.

* DMZ: Put your servers into appropriately configured DMZ's using a seperate OpenBSD host as the firewall. Lock it down so that only traffic which you specifically allow can get through.

* PATCH: Keep your Windows servers patched.

* FILTER: Doesn't Windows 2003 have a built in packet filter? If so, use it!

* HARDEN the Windows servers. Remove every service which they don't *need* to be running.

* REPLACE any Windows servers that you can, with more secure options.

* BACKUPS: Keep good regular backups so that it will be less hassle for you to restore from them and patch, should they be compromised. The longer between backups, the harder your job will be to fix the problem because you might find the losses of restoring an old backup hurt more than the actual compromise itself. You'll be checking what is newer and working hard to make sure that the newer files are not infected with trojans, worms, viruses, etc.

* DON'T DEPLOY: If you can get away with it, don't give people a solution if the only solution is an insecure one. You may find that you provide a solution which people suddenly "can't live without" but is either uneconomical to keep secure or impossible to keep secure. It is better to not give people a taste of that solution at all. Especially since they worked just fine without it up until now and *you* know that they don't *need* it.

* SOE: Develop standard operating environment's for the desktops, lock them down and enforce IT usage policies. Do the desktops need to share data amongst themselves peer-to-peer? Having worked in edu for years, I would imagine not on the whole, so apply a firewall to the SOE itself which will fit within your network configuration. A smaller department server you will be able to take ownership of and control if they want to share amongst themselves and this takes the tinker factor away from the end users and removes their excuse for admin rights for that task. You can also make it so that any damage or network congestion they cause, can be limited to their department. You do it this way for them because "you can easily backup a central server" and upper management will agree with you on that from a risk point of view. If all your desktops, servers and network are as secure as you can make them and you have polices people must adhere to, then you will have much less problems.

What you will also find is that you will get to a stage where instead of putting out fires all the time, you will be constantly improving your systems and making IT better instead of always trying to make IT work. You will also find that problems start to settle with the real problem staff and you will then be able to manage them and point to the polices.

Is this a joke?

[AEton]

You keep getting hit by zombie machines?

Liberal Arts zombies? Are you sure they're not dogs?

(And, as always, the best answer to your question may come from Google. Linux.com | A Linux firewall primer.)

Wrong Approach

[markom]

You are approaching the problem from a wrong direction.

There are different types of firewalls and they can be divided into these types using different criteria. However, I will use the most simple one. There are host-based and network-based firewalls. Host-based firewalls, are not very cost-effective (or even effective at all) for protecting large, medium or even small server "farms". They work fine on single-server or home machines.

The proper way to protect server farms in campus is to have secure network. Firewalls are like city walls. They offer protection, but if breached, you're doomed. Secure network consists of firewalls, segmented network (separate VLAN's, switching blocks, etc.). Excellent reference for secure network design is Cisco's SAFE Blueprint for Enterprise Networks. I would recommend reading it, even though you're not using Cisco gear.

Marko.

IPCop

[ZosX]

It's free.

Only port forward what ports you absolutely need and keep your servers out in the DMZ. IPcop will easily allow you to seperate your network into zones with multiple nics and will likely only take a 486 or Pentium class machine to keep up with your bandwith. Hey, you asked for cheap. Doesn't get much cheaper than that.

You can also keep detailed logs and it also features a good SNORT setup for NIDS. It sets up convieniently with a web browser.

There is also Smoothwall. Both are really Linux based software firewalls. The difference is that IPCop is totally free and supports a wide variety of features that you would likely have to pay for in Smoothwall. Updating NIDS signatures automatically comes to mind.

I would personally avoid Windows software firewalls like the plague, as they run at escalated priveledges and can potentially put your system at even more risk as they add to the number of possible vulnerabilities, but that is just me.

If you can't afford a PIX or something in hardware, FreeBSD and Linux software firewalls are always the best way to go IMHO.

Happy hacking!

OT: Captchas

[interweb]

slightly off topic but does anyone else have trouble reading those annoying "confirmation your not a script images"? The one I am looking at right now is nearly impossible to read.

Are you sure you are human?

Re:at the risk of getting flamed into submission..

[Ooblek]

When its liberal arts machines getting infected, I've found the BEST firewall to be a pair of wire cutters. NOTHING gets through after the skilled use of these babies.

Windows Server 2003 SERVICE PACK 1 has a firewall

[DJStealth]

Download W2K3 Service Pack 1 from Microsoft, they have the same firewall as XPSP2 plus some bonus features.

There's a "Security Configuration Wizard" that will help you config the firewall and services at a more advanced level than in XPSP2

Re:Does it cost less than US$100?

[MrResistor]

Did you miss the part about how he works for a school? He has to get the money before it can be invested, and $100 might be the limit above which he has to get the approval of 3 PHBs and 6 beancounters.

Or maybe you missed the part about how the attacks are coming from other departments, over which he has no authority, and who obviously don't place a high value on security?

Re:A cheap linux firewall

[hawkbug]

I hear this argument a lot, and you're right - it would work... but here's the thing - If you put a pentium I computer with a 2 gig hd or something up in front of an entire lab for internet access, I would wonder about the reliability. What I mean is, at work here I was doing something similar - but when the non-rendundant power supply in the 1995 based computer died, my entire part of the office lost net access, which is bad.

There is always something to be said about having a real server act as a firewall. For home use, sure, use an old computer running linux - but for anything that you would like to count on a reliable, get a real piece of hardware to put that linux distro on, and you'll be happier.

Re:at the risk of getting flamed into submission..

[xstonedogx]

I've been running an OpenBSD/PF firewall at home for ages now and the system load has never gone above 0%.

Have you tried plugging it in?

:)

Also IPCOP

[lord_rob+the+only+on]

I've used smoothwall for a while and I was very satisfied with it. But at some moment, it stopped working. The ADSL connection couldn't be established anymore.

While I think it was rather a hard disk crash and not a direct smoothwall problem, it made me feel like replacing my smoothwall with ipcop, another firewall dedicated linux distro (forked from smoothwall).

I'm very happy with ipcop at the moment, it's a bit more "customizable" than smoothwall. I know both are GPL'ed so they can both be customized to fit any purpose, but as ipcop is a 100% community-based distro, it is a bit more designed to be tweaked than smoothwall.

Check out IPCOP site

Re:A cheap linux firewall

[owlstead]

Use a floppy or CD based installation. Leave that hard disk out. When that's on, there are no moving parts at work, except for the fan(s), which should be able to run for a few years. Otherwise, buy a cheap fanless VIA epia board with 2 ethernet connections and boot it up from a flash drive. Works like a charm, and 533 or 600 MHz is actually overkill. Great as a small web server/ssh access. And it's easy to setup with a printer or an external HDD to share stuff on your network.

But it seems that the poster can get way with using a simple router box with multiple LAN ports as well (or 1 LAN and 1 WAN port might even work).

Windows Firewall and IPsec

[Kaedrin]

I can't speak for the linux side of things, but here's my comments for Windows.

Note that while this is easier to manage with Group Policy via Active Directory, you can use the local group policy settings and migrate them across your lab. My thoughts on this are valid for XP and 2003.

The internal firewall is your first defense, blocking all non permitted inbound random/unimportant information from reaching your machines. Tell the firewall the applications you will be using, and it will dynamically open required ports as the program needs them. This way you don't need to deal with local port management. You want this setup to prevent traffic from reaching IPsec, and for any logging purposes you may have. IPsec's current version doesn't really do packet logging, and is in no way a firewall (Although, I used it for years as a firewall with Windows 2000 and never had any ill-received problems, but they were not on critical systems either).

Use IPsec in pure authentication mode without encryption (unless you have encryption offload cards). You can use it in several ways.

All communication requires authentication:
No computer can talk to yours that is not setup properly. Period.

All inbound communication requires authentication:
All inbound traffic must authenticate or be dropped.

If you lock inbound, but not outbound, your clients can still access web resources and any other computer without issue, but you have completely prevented anyone else from initiating communication with your systems.

IPsec works like this: Generic rules (require authentication from everyone) are over-ridden by a more explicit rule (do not require authentication from whatever.system.local). Generic all IP rules are over-ridden by port rules, port rules are over-ridden by explicit IP address rules or subnet rules. Etc.

For your purpose, I would at least require all inbound traffic to require authentication by String, however this is not secure and anyone with administrator access can rip the password out of the registry. To do it securely, you need to do it by certificate or Kerberos. The kerberos implementation will require active directory, the certificate method will require a full IKE/PKI configured for your area. You do not need to buy a certificate from a place like verisign, you can do it all yourself through your own self-signed certificates. This entire process with IPsec can be automated through Active Directory, but if you don't have active directory, I believe any generic IKE/PKI server can generate valid certificates for your use. It's a lot less work on your part doing it through active directory.

IPsec policies will work between Windows 2000, XP, and 2003, however your key strength is limited based on the oldest OS you use. 2000 will only function with low keys, XP with both low and medium, and 2003 with strong keys and the two weaker keys. Also, you can set it up from strongest key generation to weakest, so 2003 will always talk to 2003 in strong, 2003 to XP in medium, 2003 to 2000 in weak. It may be possible to make IPsec work side-by-side with Linux using Freeswan, or whatever project replaced it, however I never used that program.

One last thing, if your systems are used by untrusted users, considers how possible it is to use the software restrictions built into Windows. Once that is activated and configured well, it becomes very difficult for a local user to run non-authorized software without sitting at the machine and taking it over first. Refer to rules regarding Software Restriction Policies for this.

K.