Re: LINUX Firewall

From: Chad A Gross [SBS-MVP] (chad.gross_at_laytonflower.nospam.com)
Date: 03/24/04 

Date: Wed, 24 Mar 2004 00:37:53 -0600

Hi Tom -

In addition to Susan's comments, there is merit on not having your SBS
connected directly to the internet. However, removing ISA and putting a
linux firewall server in really doesn't offer any additional security.
First, as SuperGumby noted, you'd need to invest in order to replace ISA
with a comparable linux product. Second, if the linux firewall is
compromised, hopping over to your SBS from the linux box is a simple task.
If you don't want your SBS connected directly to the internet, I'd recommend
putting a cheapo router between your 2nd nic & internet connection, and
leave ISA running. This gives you two layers of defense, versus just moving
one layer from point A to point B on your LAN.

Having said that, if you truly want to improve your security - focus on your
desktops and training your users on best security practices . . . 

-- 
Chad A. Gross  [SBS-MVP]
SBS ROCKS!!!
"Tomster" <tellis@rusingandlopez.com> wrote in message
news:u6%23zrORDEHA.3568@tk2msftngp13.phx.gbl...
> Thanks Susan for your reply. I was not implying that LINUX was a better,
> more secure OS.  My concern is that the SBS server is connected directly
to
> the Internet on the second NIC. I thought that by having the server behind
a
> firewall would be a more secure setup. Also, removing ISA would free up
some
> resources on the server since it would not be the gateway for Internet
> access.
>
> My SBS server is fully patched as well as all workstations. I make it a
> priority to keep both fully patched with the latest security updates from
> Microsoft. The only ports open is what is required for the server to
> function correctly for e-mail. It is my belief that one does not use a
> production server to host a web site thus ports 80 and 443 are closed. I
use
> grc.com regularly to check for open ports.
>
> Your response regarding the high level of security of ISA has me
re-thinking
> the LINUX firewall setup. Right now everything is working great so it is
> problably best to ahere to the adage "if it ain't broke, don't fix it."
>
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> wrote in message news:OTTTY3LDEHA.3408@tk2msftngp13.phx.gbl...
> > Not to turn this into OS wars as I am apt to do but all of us need to
> > get over this idea that because ISA is on my domain controller I'm less
> > secure.
> >
> > Here at home I have a SBS2k3 with a basic firewall... nothin' else.  But
> > because I use this for play I keep it pretty tight and there is no port
> > open on this sucker.  Firewall is totally closed up.  Yet my sister
> > [yeah the customized Disney desktop sister] got her IE hijacked some
> > months back because ...
> > a.  Her IE settings are loosey goosey [as are most of us]
> > b.  She's running in local admin
> >
> > The fact that I can patch my ISA server in my office with the latest
> > patches whereas I hope you are planning to patch that Linux box because
> > my friend... on a near daily basis I am getting kernel vuln
> > announcements in my mailbox.
> >
> > The idea that
> >
> > a.  Any firewall is better than any other firewall merely because of the
> > operating system it is running is a crock
> > b.  All firewalls are basically have bits of software under there that
> > have to be monitored.
> >
> > My friend, you and I have more vulnerabilities on our desktops than we
> > do our servers.
> >
> > As Jeff said today, it's not the number of ports you have open, but
> > instead is the number of the port you have open that causes your
> > security issues
> >
> > In other words, its the port and how often that port is "bot" attacked
> > that makes you insecure.
> >
> > Firewalls are speedbumps.  They are not moats.
> >
> > Patching
> > Antivirus
> > Firewall
> >
> > And whatever you do, ensure that at the end you visit the Shields up
> > site on grc.com and see what ports you TRULY  have open from the outside
> > and that you've set the firewall up properly after all.
> >
> > My server sits most of the day filing it's fingernails bored to tears.
> >
> >
> >
> > The OpenSSL Project announced today that there is a null pointer
> > assignment flaw in all versions of OpenSSL from 0.9.6c to 0.9.6l
> > inclusive and from 0.9.7a to 0.9.7c inclusive. A specifically crafted
> > SSL/TLS handshake could cause OpenSSL to crash. This could lead to a DoS
> > against whatever application uses OpenSSL.
> >
> > Because many devices/servers/systems use OpenSSL, this is a potential
> > issue for many sites. Because of the nature of the vulnerability, there
> > is not a means of using this for an exploit beyond a DoS, but it is
> > important to be aware of this issue and patch affected installations as
> > quickly as possible.
> >
> > The OpenSSL Project announcement:
> >
> > http://www.openssl.org/news/secadv_20040317.txt
> >
> > Various vendor announcements (updated as they are available):
> > http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml
> > https://rhn.redhat.com/errata/RHSA-2004-121.html
> > http://www.openbsd.net/errata.html#openssl
> >
> >
> > Tomster wrote:
> > > I am planning on setting up a LINUX box to act as a firewall for my
SBS
> 2000
> > > network (fully patched).  ISA seems to be working fine but with all
the
> > > security issues with Windows I would rather have the SBS server behind
> some
> > > sort of firewall and not directly connected to the Internet.. Plus,
> having
> > > the workstations go through the LINUX box for Internet access will
free
> up
> > > resources on the SBS server.
> > >
> > > Has anyone configured SBS behind a LINUX or external firewall,
> un-installed
> > > ISA and use one NIC?
> > >
> > > Currently, the SBS server has two NICs. Could I just disable the
> "external"
> > > NIC on the server, remove ISA and configure the workstations go
through
> the
> > > LINUX firewall (gateway) for Internet access? I can forward the ports
> needed
> > > for smtp and pop e-mail on the LINUX box to the server's internal IP
> address
> > > and for some remote access clients.
> > >
> > > Thanks in advance for any information and help.
> > >
> > >
> >
> > -- 
> > http://www.sbslinks.com/really.htm
> >
>
>

Relevant Pages

  • Re: SBS VPN setup?
    ... And if you have a hardware firewall you haven't flashed in years they just got in through a exploit. ... SBS plugs into a switch with the other computers and the switch is plugged into a firewall appliance with 2-nics. ... To compare apples to apples, let us assume there is a network setup as I outlined above...and the firewall appliance is an ISA server, such as those available from Celestix. ... > learn and test the RWW solution before deploying it. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS VPN setup?
    ... The 2-nic configuration is used when the SBS server will *also* act as your network's firewall. ... You purchase 2k3 PREMIUM and that comes with ISA to handle the firewall duties. ... To compare apples to apples, let us assume there is a network setup as I outlined above...and the firewall appliance is an ISA server, such as those available from Celestix. ...
    (microsoft.public.windows.server.sbs)
  • Re: Linux or BSD alternative to Windows Home Server
    ... My questions were about Gentoo vs. Linux for a sever, ... I will probably eventually have a dedicated firewall ... if you were to have a file server which is accessible ... I'm aware that I could probably create scripts to regularly backup ...
    (comp.os.linux.misc)
  • Re: Internet on nodes
    ... disabled state (someone please confirm this for SBS Standard, ... firewall service should result in 'ISA lockdown'. ... print' from both the server and a WS. ... Was not able to connect to the internet on the WS. ...
    (microsoft.public.windows.server.sbs)
  • Re: ceicw failure on e-mail config
    ... Merv Porter [SBS MVP] ... Ethernet adapter Server Local Area Connection: ... Call to Reading the firewall selection returned ok. ... Firewall Rule: SBS DHCP Client ...
    (microsoft.public.windows.server.sbs)
Loading