Re: Firewall for Windows 2003 Server R2 Standard
- From: "Prabhat" <not_a_mail@xxxxxxxxxxx>
- Date: Tue, 12 Sep 2006 18:12:47 +0530
When Google I got the below reply:
--------------------------------------------------------------------------
Who are these "Windows Gurus" that you have spoken to, and what was the
exact question/answer (and context)?
IPSec, for example, is supported in Windows 2000 and Windows 2003, and can
give you very good protection (barring possible vulnerabilities in the
implementation), so whoever told you that there's "no good way" is either
qualifying their comments, or doesn't know what they're talking about (an
example of a qualification would be that IPSec isn't a firewall in a literal
sense).
Windows Server 2003 also comes with the built-in ICF as well, which, again,
may be "good enough" for you (though I would look at IPSec first).
Personally, I feel that the common SOHO type"Personal" software firewalls
(eg ZoneAlarm) do not give you enough flexibility to be able to configure
them appropriately for a server (given that you want to open a number of
ports). Most are designed for people who need to secure a client machine (ie
not allow incoming connections, but allow some applications outbound access
to the 'net). A lot don't give you much granularity either (for example, you
can specify that your email app can go out onto the 'net, but you can't say
that:
- email app can connect to pop3.myDomain.com port 110
- email app can connect to smtp.myDomain.com port 25
- deny access to everything else (eg everything port 80 to stop web-bugs
embedded in HTML mail)
You need to look at the more sophisticated products (though still "Personal"
products), such as Sygate's product (www.sygate.com), Kerio's Personal
Firewall product (not supported on Windows 2003 Server yet) (www.kerio.com)
or Tiny Software's (www.tinysoftware.com/) firewall product. Each of these
allows you to nominate an application/executable, and which IP
addresses/subnets can access (or are barred access) to which local and
remote ports, for which protocol (UDP/TCP/ICMP) inbound and or outbound.
That said, I believe that a separate hardware device (whether dedicated like
a Cisco PIX, or application layer like Microsoft's ISA server) provides a
more robust, and secure environment (however you need to weigh up whether
you can afford the cost!)
HTH
Cheers
Ken
Microsoft MVP - Windows Server (IIS)
--------------------------------------------------------------------------
.
- Prev by Date: Re: Server is working but unable to logon by any means
- Next by Date: Server 2003 R2 FSRM Error
- Previous by thread: Re: howto change the Local Group Ownership
- Next by thread: Server 2003 R2 FSRM Error
- Index(es):
Relevant Pages
|
