Why external firewall

[runboy]

This may be a dumb question.

I am setting up a win 2k server as a standalone webserver. I have been looking at different firewall options. Everybody tells me to go with an external firewall, but can't give me a good reason.
I can't see why an external firewall would be a better option than an internal for my specific needs.

With an external firewall I would have to open port 80, 20, 21 & 53 for my needs. These port adresses I have allready configured to be the only ones allowed via TCP/IP filtering inside win 2k server, so what does the firewall help me do except block ports which are allready closed.
I guess packet filtering is only usefull if you have somebody behind the firewall surfing the net.
I would think that an internal firewall would be a better option since it can restrict which programs should answer the different requests.

Please explain to me why the external solution is a better option.

Regards John Raahauge

 

[CTR]

For a standalone setup like you described, filtering at the server is fine provided you have the system resources to spare.

 

[runboy]

It's a dual PIII 800 with 2 SCSI's and 1GB Ram, and it is just going to host a couple of sites (400.000hits/day) So I would think so.
I am using Tiny firewall which doesn't put that much load on the server. (Wanted to use Zonealarm Pro, but it doesn't work on my win 2k server)

 

[spidey07]

For a single server situation you have adequate resources. The firewall will however offer you (depending on venor/model) the following advantages.

Detecting denial of service attacks and stopping them
Yet another barrior between you and script kiddies looking for OS vulnerabilities
Recognizing "hackerlike" behavior and preventing it
Detailed logs on any/all access
SCALABLE SOLUTION (you love it don't you CTR). An infrastructure will be built for you to easily expand any options you desire.

The choice is yours. If you have the need for these features, then use an external firewall. If you can honestly say you have no interest or need for these then don't.

spidey.

 

[runboy]

DoS attack if well done can't be stopped. They will aleays prevent others from looking at your site. (One of the reasons most "Hackercompetitions" don't allow them.) Ofcourse an external firewall would recognise it and stop responding, but so would an internal like fx Zonealarm. But this would also prevent others from seeing your site.

Can an external firewall be set to only allow certain programs on your server to respond ?

 

[willhart]

One of the main reasons people suggest an external firewall is because when people do that the firewall also provides NAT(problably already know this, but turn an internal IP address into a real one). So if someone tries to contact your real IP address they're contacting your firewall and not your server directly. You could tell that firewall to only forward that server port 80 and nothing else. So if someone tries to send you anything or hacks into what he thinks is your website, he is hacking into the firewall and hopefully can't figure out how to get to your webserver which is the most important thing that you want to protect. Also I wouldn't go with a firewall program like zonealarm on a server like that. You need a firewall that is on a rule based, and not a personal firewall that have hardly any configurations.
I think one of the best firewalls out their if your going to be running such a huge site would be CheckPoint FireWall-1 which is one of the best firewalls and fairly expensive. http://www.checkpoint.com.

 

[CTR]

So let us know how it goes with your Tiny firewall runboy.

 

[runboy]

<< You could tell that firewall to only forward that server port 80 and nothing else >>



Well right now the only open ports are the ones that I would have to open on the firewall, so what is the difference ?



<< You need a firewall that is on a rule based, and not a personal firewall that have hardly any configurations. >>



You can configure quite a bit in ZoneAlarm Pro and Tiny Firewall. The only drawback I can see is if you want to configure a range of ports instead of 1 or any. But I don't have the need for that in my setup. The DNS is not going to do recursion.

 

[runboy]

But if anybody know of a cheap (<$300) external firewall solution that would be able to handle the traffic of a webserver I would like to hear about it.

 

[WholeMIlk]

www.freesco.org

 

[flashbone]

Overall, if you would like to have the added benifit of being able to add more machines to your network, an external firewall would definately be the better choice. If you do add more machines, firewalling multiple boxes has a greater potential for administrative headaches than a single external firewall. If you are using the one machine, and never forsee yourself adding any more to your network, you should be fine.

I personally had an old machine lying around and put OpenBSD on it for my firewall. It provides built in support for NAT, ipfilter (rule based packet filter) for your firewall, and VPN support is even included should you need it. Other freely available O/S's also have support for NAT and filtering like Linux and FreeBSD.

 

[BigDady92]

buiild a freebsd box

freebsd

 

[fivepesos]

build a linux box, got any old ppros? provided you dont run a gui on the linux box, anything above a 486 should handle your traffic.

linux can be configured to detect portscans (portsentry), packet logging for forensics (tcpdump), and probably suspicious activity detection (snort i believe). plus its open source software. knowledge to the masses.

 

[runboy]

Hi

Just a little update on the Tiny Firewall:

I had to drop it because it was causing a lot of errors. It didn't use much memory, but it didn't seem like the program was geared towards my kind of hits. At times I would get thousands of the following error:

Event Type: Error
Event Source: fwdrv
Event Category: None
Event ID: 4000
Date: 1/29/2001
Time: 3:46:47 PM
User: N/A
Computer: Serv2
Description:
The description for Event ID ( 4000 ) in Source ( fwdrv ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: \Device\FWDRV, TdiHndlrAssociateAddress: Too many associated endp.
Data:
0000: 00 00 00 00 02 00 4c 00 ......L.
0008: 00 00 00 00 a0 0f 00 c0 .... ..&Agrave;

0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

 

[blstriker]

Basically two firewalls makes things safer since the hacker won't know the internal ip address of your server. Steve Gibson of grc.com fame recommends an hardware router and a software router on each computer.