Firewall - advice request

[Icedude]

After upgrading to Windows 2003 Enterprise Server on my server, I need a replacement firewall.

I need:
1. A software based firewall, to run on that OS, that provides full NAT support (or lets ICS perform NAT without interfering)
2. Full access to block IP address/ranges and open/close ports at will. (pretty basic, but youd be supprised at how many personal firewalls dont let you do this)
3. Intrusion detection would be nice.

BlackIce server protection doesnt currently run on Windows 2003.

Symantec Enterprise is nice enough, but I dont fancy having to patch its daemons constantly to keep it secure.

Kerio Winroute firewall 5.0.4 Im currently trialing, and if anyone can suggest a replacement with the same functionality, and feel of it, I'll be most impressed. The only problem with Kerio is its NAT support, some of the services on the net I need to access, it just doesnt let me connect

Any ideas ?

(and, oi, zonealarm... nooo !)

[Gayle29uk]

I currently have winroute on here and it's the best I've found (short of the Symantec Enterprise Firewall but that's a little overkill for a home net ).

[Icedude]

I agree Gayle (now )

Winroute is the best Ive found. I fixed the problem I had by going against my nature, and reading the manual

It seems its default "Protocal inspector" was causing me some probs, and since this field is hidden by default from the traffic policy, I didnt spot it. Disabling that on my NAT connection, and its all sorted

[Mit]

I tried to use Winroute, couldn't get the silly thing to install. Tried it on 3 seperate Windows installs (same machine over time) it would always burp "Cannot WRITE to memory ......" which is a little odd, i've tested the ram, and its the only thing that moans. So i gave up and built a linux router instead. I blame windows

[meglamaniac]

Sygate Personal Firewall Pro is pretty damn good. It works with the NAT windows provides - however, I'm not sure if it works with 2003 as I havn't had any experience with the OS. It DOES work with XP which is the closest thing I suppose.
It installs itself somewhere in the actual TCP/IP layer, so if you ask it to it can simply disable the entire TCP/IP system so nothing transmit or recieve at all.
Of course, you're unlikely to want to do that unless you're under attack or something, but it can extend the same idea to smaller areas.
It can, on a system wide scale:
block specific ports
block specific ips
block specific transports
block specific transmission directions (upload/download)
combinations of all of the above, with ranges etc
On an application level (or even on a DLL level, if you're insane enough to try managing that level of detail) it can:
Do everything you can do on a system level, but for specific apps
Various more application specific activities and rules

System wide rules override application rules (so if you have a "block all" system wide rule then nothing works at all, even if you've set some applications to be allowed under the apps management) and system wide rules are processed in a list order so you can "stack" them to suit your needs. This is useful for the more secure "block everything unless I specifically allow it to connect" method of firewall management.
It also has various smart exception methods you can enable or disable, it (of course) monitors traffic for possible attacks, and has various protection systems (eg. to try and prevent people resetting your MAC address etc).
The attack monitor is nicely done and can provide a full backtrace of the source if you like.

Not that I like it or anything.

[Mit]

Only snag with Sygate, and any software firewall for that matter, they EAT CPU - Got Sygate on my machine when i'm at uni, and if i'm doing a 'reasonable' speed download (600KB/s) i'm normally at 100% cpu, this is a Duron 1.3GHz with SMC.exe (Sygate) eating about 60% of the CPU

[meglamaniac]

Well yeah, but as he requested a software one I assumed that was a given.

[Icedude]

CPU isnt an issue really, the cpu is pretty bored most of the time, and its only a 600k broadband connection.

Added bonus of being cheaper than a hardware firewall, if you get the drift...

[Belgarath The Sorcerer]

What's wrong with Zonealarm??

[Raging.Retard]

Quote:

Originally posted by Icedude
1. A software based firewall, to run on that OS, that provides full NAT support (or lets ICS perform NAT without interfering)

If you are running Enterprise you should already have included RRAS (May need to install it from Add / Remove -> Windows Programs). This provides an operating system service for full NAT support. This will probably the most stable option, and ofc has the added benfits of simple remote administration via the appropriate MMC snap-in.

If you are familair with MS products then something like MS ISA might be just what you need, however for the smaller network this will probably be overkill. There are a lot of freeware firewalls however that will sit on top of the OS, and allow Windows to do the NATing in the backgroud.

Lastly there is even build in support for opening closing ports on the machines network interfaces. You may also filter by protocol. Ive not checked this yet with 2003, but the down side with 2k was the fact the restrictions affected all intefaces on the machine. These options are accesible via the standard networking options, then TCP/IP properites then Advanced if my memory serves correctly.

[Gayle29uk]

Quote:

Originally posted by Belgarath The Sorcerer
What's wrong with Zonealarm??

Steve Gibson recommends it. Isn't that enough?

http://grcsucks.com/grcdos.htm

[KaneED]

I'm gonna tag on to someone elses thread and ask about a firewall thing of my own.


I have two computers. One accesses the internet directly and has zonealarm running on it. The other is connected to the first one and doesn't run zonealarm because it ****s up the network and I can't connect to the internet or transfer files.

What I'm wondering is, will my second computer be protected by the firewall on the first? Because on the second one, it says the connection is straight to the internet as well as having the network thing too. it's all so weird :/

[Gayle29uk]

Quote:

Originally posted by KaneED
What I'm wondering is, will my second computer be protected by the firewall on the first?

Yes (unless you have some really weird NAT rules set up to filter only traffic on the firewall machine and allow all traffic to route to NAT boxes).

[Icedude]

Quote:

What I'm wondering is, will my second computer be protected by the firewall on the first? Because on the second one, it says the connection is straight to the internet as well as having the network thing too. it's all so weird :/

The 2nd computer will be quite well protected by the fact all the traffic is being NAT'd. The 2nd PC wont be visible to the internet (unless you setup port forwarding on your server)

Quote:

Yes (unless you have some really weird NAT rules set up to filter only traffic on the firewall machine and allow all traffic to route to NAT boxes).

Shouldnt be too much of an issue, he doesnt say what OS, but the only thing you can do to config ICS is to forward ports (and although ive never used 98 to do ICS, im pretty sure you cant forward ports with it)

Kaned: if your bored, google for NAT (Network address translation) and ICS (internet connection sharing) for your OS and read up about it.

[Icedude]

Quote:

Originally posted by Raging.Retard
If you are familair with MS products then something like MS ISA might be just what you need, however for the smaller network this will probably be overkill. There are a lot of freeware firewalls however that will sit on top of the OS, and allow Windows to do the NATing in the backgroud.

Ive had a good look at ISA server, and even tho it looked ok, decided against letting MS handle the security

Quote:

Lastly there is even build in support for opening closing ports on the machines network interfaces. You may also filter by protocol. Ive not checked this yet with 2003, but the down side with 2k was the fact the restrictions affected all intefaces on the machine.

Yea, Ive not checked it on 2003 yet either, but presume it will be the same as 2000, which is a bit silly really...

[MT]

No-ones mentioned it, so I will, but for the cost of a propietary software firewall, you could get a run down old office PC, stick a couple of NICs in it and invest a few hours reading up on iptables. Anything 486 and above will do the job hardware wise, early Pentium's are ideal.

From the way you talk the talk, I'm guessing you're not a spotty teenager, and so probably work somewhere - ask the 'IT guy' (or the boss if its a really small place \o/) if theyve got any discarded PC's clogging up storage - I've got 3 upstairs I liberated from a company that only has 15 employees, they just ran out of storage and decided that no-one would ever use a K6-2 400 machine ever again, so they went in the back of the car ...

[Icedude]

Quote:

Originally posted by MT
From the way you talk the talk, I'm guessing you're not a spotty teenager, and so probably work somewhere - ask the 'IT guy' (or the boss if its a really small place \o/) if theyve got any discarded PC's clogging up storage

Im one of the IT guys

Our "scrap everything below a P1 200" policy doesnt extend to letting employee's take the spare parts home tho. Even if it did, id have the problem of having to house another pc, and then learning *nix, something Im not overly enthusiastic about