Firewall

[pstylesss]

I want to be able to control the settings through a central control panel. Anything like that out there?

 

[Crusty]

Cisco, Watchguard, or Sonicwall firewalls will all have the features you need. Best to talk to a rep from the companies and see if you can demo units to try out.

 

[pstylesss]

I have a sonicwall hardware firewall setup, but I want a software firewall to load on the servers and control seperately as a second layer of security.

Anything like that out there?

 

[Crusty]

Tons, but you give absolutely no detail so there's no way to pick anything. What environments are you running?

 

[pstylesss]

Originally posted by: Crusty
Tons, but you give absolutely no detail so there's no way to pick anything. What environments are you running?

Sorry, dumb mistake.

I'll be running the firewalls on Windows Server 2000, 2003, 2008, and some Windows XP machines. What other kind of information would you need?

 

[Crusty]

Any reason to not use Windows Firewall? You can push rules to the servers using GPO.

 

[pstylesss]

Because we are on a few different domains and GPO doesn't transfer down. I'm fine with using Windows Firewall on one network, but it would just make it easier, I think, to run them all on the same firewall and manage them at the same place.

 

[Zugzwang152]

Originally posted by: ZeroIQ
Because we are on a few different domains and GPO doesn't transfer down. I'm fine with using Windows Firewall on one network, but it would just make it easier, I think, to run them all on the same firewall and manage them at the same place.

what antivirus product are you using? I'd just pick the firewall offering that vendor has so you can centrally manage through an existing interface. If you're already running multiple domains and such, I'm sure you have enough trouble with management interfaces.

By the way, software firewalls on servers are generally not the best way to go, as they suck up system resources. You should concentrate on your existing hardware firewall and limit access to the minimum necessary there, as well as limit the number of people allowed to manage it.

 

[pstylesss]

Originally posted by: Zugzwang152

Originally posted by: ZeroIQ
Because we are on a few different domains and GPO doesn't transfer down. I'm fine with using Windows Firewall on one network, but it would just make it easier, I think, to run them all on the same firewall and manage them at the same place.

what antivirus product are you using? I'd just pick the firewall offering that vendor has so you can centrally manage through an existing interface. If you're already running multiple domains and such, I'm sure you have enough trouble with management interfaces.

By the way, software firewalls on servers are generally not the best way to go, as they suck up system resources. You should concentrate on your existing hardware firewall and limit access to the minimum necessary there, as well as limit the number of people allowed to manage it.

We're using AVG. The servers that were affected did not have AVG installed on it, so it's not AVGs fault. Does AVG Enterprise have a firewall built in? I'll have to look.

The hardware firewall does nothing if something was able to get into the network as it'll just pass between the PCs inside the network.

See this post as to why I am looking at this option.

I am open to other ideas to secure the network though.

 

[blackangst1]

We use PIX and checkpoint on our corp network running same machines. I think you will want a hardware solution.

 

[Crusty]

There should be a hardware firewall between all the servers and client PC's IMO, that's where you block everything but the services needed from those servers. This especially true if those servers are accessible from the outside too for whatever reason.

With most hardware firewalls you can create a 3-legged network with trusted(clients), DMZ(servers), and public segments(internet). You firewall the DMZ from the outside, the clients from the outside, and then the clients from the DMZ.

Sure, it's still possible for someone to copy an infected file to a server and now it's on that network, but that's what a comprehensive security policy should be preventing. It sounds like you might be on the right track.

 

[mechBgon]

You may also want to run the Security Configuration Wizard on WS2003 and later, to reduce potential attack surface. In the environment that I was working with, this did require a little troubleshooting before it worked correctly (it mistakenly shut down file & print sharing ports), so be prudent about how you do it.

 

[redbeard1]

Mechbgon

so be prudent about how you do it.

I just had a customer accidently turn on the Windows firewall on a 2003 server and it blocked everyone internally from connecting to it. It took me a while to sort that out, as no one would admit they changed anything.

Have you looked at the firewall settings for your 2008 server. It gives you an idea, and a headache, as to all of the possible permutations of ports that can be blocked.