• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 944
  • Last Modified:

Windows Server 2003 Firewall; Will it protect a small network if the server is a bastion host?

I have a Windows Server 2003 box with two NICs. Windows Firewall is enabled on the public NIC. Is that actually protecting the private network? I am running RRAS if that has anything to do with it.


public network-------------(NIC 1 Firewalled(W2K3 Server)NIC 2)--------private network

I would like to use the Windows firewall because it is easy to use for me and I can still edit the ACLs easy. Also no pop-ups.
0
silver00x00
Asked:
silver00x00
  • 3
  • 2
1 Solution
 
sciwriterCommented:
AS long as the public and private have different class-c network IPs -- YES -- if they are the same, NO!!!

So say the public is 192.168.0.x for internet access.
Set the private to 192.168.C.x  -- where C is any number 1-244  (as long as it is not 0, same as other network).

When the two different NICs are set to different class C IP addresses, there is no simple sharing or internet connectivity between them.

e.g. -- typical internal network -- 192.168.0.1-255.
typical user remote (VPN etc)  -- 192.168.1.1 router
typical IP address for second NIC in "server" getting to internet -- 192.168.2.2 (router 2.1 to internet).

ALL THE CLASS C NUMBERS MUST BE DIFFERENT for this to work as you want.
Once setup, it works like a bolt of greased lightning, the internal network cannot find the internet, but the internet server can, and you can remotely VPN into that server from your house -- but not get to the internal office network.
0
 
The--CaptainCommented:
>Will it protect a small network if the server is a bastion host?

I think history speaks for itself here, so the answer is no, windows can never be trusted to secure your network.

>I would like to use the Windows firewall because it is easy to use for me and I can still edit the ACLs easy

Wouldn't it just be easier to use no firewall at all?  You'd have almost as much security, and you could save yourself the time spent configuring.

My point is, network security is not supposed to be easy - using a product simply because you find it easy to use and disregarding it's security history is the completely wrong way to approach things.

Cheers,
-Jon

0
 
silver00x00Author Commented:
sciwriter,
Yes the IP's are different. On the untrusted side, it has a public IP. On the private side, it uses a class A, 10.x.x.x

Jon...
What would you suggest? I have used Black ICE Server and had nothing but problems with it. I searched all over the support website of Black ICE and had no luck. This is a home network and I am setting it up for learning reasons. So please don't recommend some expensive standalone device such as a PIX firewall even though it may be one of the best. Also since you talked about history, recommend me one that hasn't ever been compromised. This is going on a server, so please don’t recommend one that has pop-ups constantly.

Silver
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
sciwriterCommented:
I disagree completely that IP segmentation and different protocol binding CANNOT be used to protect an internal network from outside intrusion.  I set it up all the time for major clients with big networks, and it works reliably, and as long as it is done right, is a robust, long-term solution.  However, I am not going to argue here with downers of the technology.  Using hackers' tools like Black Ice is utterly ridiculous for a serious business network.  

Silver, your original request was fine, the tools like Windows Firewall that you suggested were fine, and the IP segmentation I discussed were not only workable, but a robust solution.  I would keep your 2003 business server completely clean of all back-door, intrusion-type software, and do what I suggested.  However, I don't know how much farther this thread can go, or if it has been derailed.
0
 
silver00x00Author Commented:
My systems have been up and running for awhile now and everything seems to be fine. No worms or virii and everything is happy...Thank you sciwriter for your help. The question was; does the windows firewall protect a network if a box is setup as a bastion host. The answer is YES. Now you know, Jon, the Windows firewall works much better then none at all. I agree that you shouldn't implement things just because they may be easy, but hey... It really is.
0
 
sciwriterCommented:
<< does the windows firewall protect a network if a box is setup as a bastion host. The answer is YES. Now you know, Jon, the Windows firewall works much better then none at all. >>

Thanks silver, and just to let you know -- that windows "firewall" took a lot of effort for MS to admit they have a problem and to find a fix.  And my experience is -- it does just as good as the rest of them.

To test any firewall -- go to www.grc.com -- wade through his verbal diaharrea to find the place to "TEST YOUR PORTS" -- keep going, and eventually you will find a page to test windows firewall.

Gofer it -- you willl find that windows firewall puts about all your ports in stealth mode -- which is as good as you can get from any cable/DSL router with firewall -- so, as a person who has no love for MS software, it did impress me that MS finally got something right ....

:)))))))

Good luck !!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now