Discussion in 'OT Technology' started by Harry Caray, Aug 6, 2007.
any suggestions ? Google will bring up a googles worth
anybody have a personal fav?
No such thing. Buy a hardware firewall and save your CPU power for whatever you're planning to use the server for. Furthermore, consider that no software is hack-proof, and software firewalls require that incoming packets be accepted BEFORE they can be discarded. One good buffer-overrun exploit and boom, your firewall crashes. On a hardware box, that just makes the firewall reset, which blocks all incoming data until the reset is complete; on a software firewall, that data is sitting in main RAM, waiting for something (possibly even the firewall itself) to try to run it. That's not an issue so much on desktop PCs where the connection is shielded by NAT and the computer doesn't have a public domain name, but on a web server that's open to the public, it can be a significant vulnerability.
That said, I use Sygate Personal Firewall (free) to monitor connections and test port-blocking rules before I send them to our IT department to be programmed into the hardware firewall.
EDIT: (waits to get corkscrewed in the ass by Jolly)
We use Sygate here at Cigna and its ... it took forever for us to make it run well with Nortel VPN for the WAH /laptop users.
With that being said, there's no hardware that's gonna be thrown at this machine firewall wise. This is strictly a test machine and CPU wise, its a quad-core box so it's got the balls to run.
Sygate Sec Agent is not near the top of my list, but was thinking about BlackICE. It was good but no updates in awhile
just starting to look, Kerio seems to get top picks along with Outpost...
Gonna try both I guess...
i used kerio long time ago... It was good. customers used to lock themselves out of their boxes, however.
If I had to do a software based firewall I would only do it on a linux box that runs JUST the firewall, you don't want to get into running the firewall on the same machine as a web server.
we have for years done software firewalls (iptables on linux) and various solutions on windows. All with great success.
Thought obviously this is less than ideal, since a firewall should be a dedicated box.
I agree that if you have multiple boxes and you control the network, then a dedi firewall is ideal. I run a pix at the office and it rocks.
However, for the average dedi user that has one box or leases a couple at a typical DC they don't have or need to pay for that luxury... A software firewall is fine.
Heck, get one of those PCI-based firewalls, even.
Suggestions on any of the above ? Personal experience?
Doesn't Windows Server have a built-in firewall?
the Standard+ versions do. The Web Version has removed the GUI to manage it. However the underlying network stack is the same and does retain this functionality. There are ways to manipulate the acl, however it's not the most intuitive system.