Re: What to use for a Firewall device?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Monitoring. That's what keeps you safe. If a firewall can give the feedback you need, it's a winner.

Right now I'll admit I'm not liking some of the false positives I've getting in ISA.. still playing around with the monitoring settings to get it like I like it.

Leythos wrote:
In article <#6lqcXdgFHA.1044@xxxxxxxxxxxxxxxxxxxx>, sbradcpa@xxxxxxxxxxx says...

BTW ...look around... how do we get nailed in SBSland?

SBS 2000 they came through the open port 80 with Code red nimda..now how would a firewall help unless that was specifically set to look for those tracks? Back in those days even servers with external firewalls with oepn port 80's were getting nailed.


I forget what Code Red exploited, but I know that none of our servers, and we have 8 of them in our company alone, that provide IIS, were compromised. I'll have to look it up and see what it did and how we were setup to avoid it. I suspect that, like most attacks, since we remove access to command.com and other programs and msi's from all but one user (a renamed account), that it's one of the things that kept us safe.


SBS 2003? sucky password on the Administrator account getting auth attack on port 25.


I've seen the same thing, but we always setup a dedicated Exchange server in a DMZ, massive IP block lists (most non-US countries), and we control the passwords - users can not create/modify their passwords.


Now if you can state that your firewalls protect the admin account from being brute force attacked..then you have a winner and my utmost respect.


Actually, between the logging and the custom VB apps we've written to monitor the logs/firewalls, we can see a slow BF attack, and get an alert about it, so we don't have to sit on the firewall to detect it.


Heck I even have a RRAS firewall at home and don't get nailed.

I'll show you a bunch of SBSers with ISA on the box and when something bad has occurred it's because we get stupid...we don't get hacked. We get stupid because we don't patch.


I've seen the same thing in Appliances, where the user creates a rule and doesn't see that it's public facing - like an ANY rule to test for a problem :)


Having a box on the outside doesn't help that problem.

[and keep in mind that many times the conversations and arguments are for the benefit of the community..please don't take it personally and nor do I... but I'd like to get people away from the "Oh I have a Cisco


I wasn't taking it personally, just trying to make sure the discussion was friendly in case I missed something or anyone felt insulted. I love to see where I've missed something, it's a great way to grow in the field, and as I mentioned I will be setting up an ISA server this weekend to test it and determine what I like/don't like about it.


..it's secure" and realize ...how long has it been since you've check it too... is it set up properly?...


We have about 80 firewalls in service right now, we check the logs using automated scripts that alert us based on key indicators. We also check the logs once a monthly manually, in addition to the security logs and the IIS logs.


I've seen folks with the entire SBS box sitting in the DMZ which kinda defeats the purpose ya know :-)


This is a pet peeve of mine - the DMZ is the same as the LAN as far as protection offered, it's that users choose to expose the DMZ and create rules to allow access to it. In many cases, like and accounting or research department, the DMZ may be where they reside and it completely protected from the inbound LAN access and has no inbound public access either. Then we got NAT routers and vendors calling them Firewalls and then adding a DMZ IP address to them - they forward all traffic to the DMZ IP, which is in the same subnet as the LAN, which makes it not a DMZ, but an fully exposed IP in your LAN :)

It would be great if they stopped calling those simple NAT devices Firewalls, and even better if the media (PC Mac, Connect, Tech shows) started taking the vendors to task for it - my guess is the tech shows/mags don't really have people that know the difference.


.

Relevant Pages

  • Re: Firewall Info/Recommendations?
    ... > firewall with 3 interfaces or "DMZ capability" listed. ... > acceptable DMZ architecture for a small network to have two firewalls ... > internal network to the internet... ... will do exactly what we currently want for maybe less than the cost of a ...
    (comp.security.firewalls)
  • Re: Firewall Info/Recommendations?
    ... > firewall with 3 interfaces or "DMZ capability" listed. ... > acceptable DMZ architecture for a small network to have two firewalls ... > internal network to the internet... ... will do exactly what we currently want for maybe less than the cost of a ...
    (comp.security.firewalls)
  • Re: One Firewall with DMZ versus Two Firewalls
    ... >> Ones without DMZ ports are about a third the cost. ... >> by using a router to feed two firewalls instead (one for the web server ... A NAT Router/Firewall combo with three NICs on the same box is more of a ... pseudo-DMZ than a true DMZ. ...
    (comp.security.firewalls)
  • Re: One Firewall with DMZ versus Two Firewalls
    ... >> Ones without DMZ ports are about a third the cost. ... >> by using a router to feed two firewalls instead (one for the web server ... A NAT Router/Firewall combo with three NICs on the same box is more of a ... pseudo-DMZ than a true DMZ. ...
    (comp.security.firewalls)
  • Processing time and IDS traffic
    ... (forensics, anti-virus, IDS, firewalls, etc.) ... What I did was parse the logs into XML records and arranged them into a nice ... strategically placed IDS system and what people get from a IDS system ... - Automatically Control P2P, IM and Spam Traffic ...
    (Focus-IDS)