Windows Server 2003 Firewall; Will it protect a small network if the server is a bastion host?

Posted on 2005-03-04
Medium Priority
Last Modified: 2012-05-05
I have a Windows Server 2003 box with two NICs. Windows Firewall is enabled on the public NIC. Is that actually protecting the private network? I am running RRAS if that has anything to do with it.

public network-------------(NIC 1 Firewalled(W2K3 Server)NIC 2)--------private network

I would like to use the Windows firewall because it is easy to use for me and I can still edit the ACLs easy. Also no pop-ups.
Question by:silver00x00
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 23

Accepted Solution

sciwriter earned 1000 total points
ID: 13464410
AS long as the public and private have different class-c network IPs -- YES -- if they are the same, NO!!!

So say the public is 192.168.0.x for internet access.
Set the private to 192.168.C.x  -- where C is any number 1-244  (as long as it is not 0, same as other network).

When the two different NICs are set to different class C IP addresses, there is no simple sharing or internet connectivity between them.

e.g. -- typical internal network --
typical user remote (VPN etc)  -- router
typical IP address for second NIC in "server" getting to internet -- (router 2.1 to internet).

ALL THE CLASS C NUMBERS MUST BE DIFFERENT for this to work as you want.
Once setup, it works like a bolt of greased lightning, the internal network cannot find the internet, but the internet server can, and you can remotely VPN into that server from your house -- but not get to the internal office network.
LVL 16

Expert Comment

ID: 13464542
>Will it protect a small network if the server is a bastion host?

I think history speaks for itself here, so the answer is no, windows can never be trusted to secure your network.

>I would like to use the Windows firewall because it is easy to use for me and I can still edit the ACLs easy

Wouldn't it just be easier to use no firewall at all?  You'd have almost as much security, and you could save yourself the time spent configuring.

My point is, network security is not supposed to be easy - using a product simply because you find it easy to use and disregarding it's security history is the completely wrong way to approach things.



Author Comment

ID: 13466205
Yes the IP's are different. On the untrusted side, it has a public IP. On the private side, it uses a class A, 10.x.x.x

What would you suggest? I have used Black ICE Server and had nothing but problems with it. I searched all over the support website of Black ICE and had no luck. This is a home network and I am setting it up for learning reasons. So please don't recommend some expensive standalone device such as a PIX firewall even though it may be one of the best. Also since you talked about history, recommend me one that hasn't ever been compromised. This is going on a server, so please don’t recommend one that has pop-ups constantly.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 23

Expert Comment

ID: 13466701
I disagree completely that IP segmentation and different protocol binding CANNOT be used to protect an internal network from outside intrusion.  I set it up all the time for major clients with big networks, and it works reliably, and as long as it is done right, is a robust, long-term solution.  However, I am not going to argue here with downers of the technology.  Using hackers' tools like Black Ice is utterly ridiculous for a serious business network.  

Silver, your original request was fine, the tools like Windows Firewall that you suggested were fine, and the IP segmentation I discussed were not only workable, but a robust solution.  I would keep your 2003 business server completely clean of all back-door, intrusion-type software, and do what I suggested.  However, I don't know how much farther this thread can go, or if it has been derailed.

Author Comment

ID: 13492246
My systems have been up and running for awhile now and everything seems to be fine. No worms or virii and everything is happy...Thank you sciwriter for your help. The question was; does the windows firewall protect a network if a box is setup as a bastion host. The answer is YES. Now you know, Jon, the Windows firewall works much better then none at all. I agree that you shouldn't implement things just because they may be easy, but hey... It really is.
LVL 23

Expert Comment

ID: 13492361
<< does the windows firewall protect a network if a box is setup as a bastion host. The answer is YES. Now you know, Jon, the Windows firewall works much better then none at all. >>

Thanks silver, and just to let you know -- that windows "firewall" took a lot of effort for MS to admit they have a problem and to find a fix.  And my experience is -- it does just as good as the rest of them.

To test any firewall -- go to www.grc.com -- wade through his verbal diaharrea to find the place to "TEST YOUR PORTS" -- keep going, and eventually you will find a page to test windows firewall.

Gofer it -- you willl find that windows firewall puts about all your ports in stealth mode -- which is as good as you can get from any cable/DSL router with firewall -- so, as a person who has no love for MS software, it did impress me that MS finally got something right ....


Good luck !!

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question