Advice offered on firewalls for Windows 2003 Server
They were not getting anywhere because I was fully patched, but it was still quite disconcerting to see connections to dial-up IPs here and there (with no web pages running). I even (naively, and it seems kind of funny looking back on it) called up one ISP and they were very nice and cut off the user's IP immediately, but the user wasn't a hacker - just an infected end-user. This is like spitting into the wind. You aren't going to fix the internet by making personal calls to ISP's of infected computers!
Obviously, unlike your pc at home, you cannot just block everything coming in to a webserver that you didn't initiate because you want to serve pages - that's the idea, anyway <g>. Plus FTP, SMTP, POP3, HTTPs, etc. So you can't just block everything at the router or run a simple firewall that blocks everything that tries to connect uninvited like you do on your home or office pc's.
Here's some info on software firewalls for Windows Server 2003:
1 ICF: Internet Connection Firewall. Included with Windows Server 2003 (and XP Pro, XP Home). After you enable it, you must check off to allow Remote Desktop Connection so that you don't lock yourself out, plus HTTP, HTTPS, FTP, etc. as you wish.
If you have multiple IP addresses, you may find (as I did) that Remote Desktop will no longer connect. Connect to your highest IP address - that will work.
Even though you check to allow various services, they are subject to a limitation of ICF: it will ONLY work on ONE (1) IP address. It cannot be made to work with multiple IP addresses. And it will disconnect all the IP addresses with which it is NOT working. In other words, you will wind up with one working IP.
2 TCP/IP Filtering: Included with Windows Server 2003. You can filter to allow certain ports only, or block certain ports only, but only one mode or the other: either you "select allow all except" or "block all except". You will want to "block all except" and then enter ports you want to open. You can set filtering separately for TCP, UDP, and ICMP (ie ping etc., aka "IP Protocols").
It cannot handle ranges, which creates the following problem. In order for the server to get DNS, port 53 must be opened. However, it turns out that that permits only the outbound portion of the DNS query. The return of actual information will come on a randomly-assigned port above 1024. Therefore, UDP must be open for all ports above 1024.
You can't do this with TCP/IP filtering. Therefore you cannot run a browser (who cares about the browser though from the server), but you also cannot run an outbound mailserver, or anything that needs to get domain names from a DNS.
I did use TCP/IP filtering temporarily to allow web pages, FTP, remote desktop, ping, and some other standard services to run and this did absolutely lock down the server while allowing HTTP, HTTPs, FTP, ping that I had specifically permitted. But DNS remained an issue.
3 Zone Alarm: both ZA free and ZA pro bombed when I tried to install them on Windows Server 2003. Pro bombed during installation and I had to remove all registry entries and files manually. ZA free installed but wouldn't run. YMMV.
4 RRAS: Included with Windows Server 2003. This is software designed for servers that are used as routers (to other computers) but can be used solo on a server to block and open ports.
This is the real deal, and you enter rules to allow each port and IP address on an inbound and outbound basis (separately). You have total control, for better or (in my opinion) for worse.
There are no easy interface checkboxes.
Once you start to consider what it will take to maintain a bunch of IP addresses (I have 32 on this server), and stay on top of the latest info on what to block and what to open, you will see you either need to commit to this as an entire body of knowledge or else let someone else manage it. It's not a little sideline <g> or tip or trick, it's a technical practice unto itself.
5 Tiny Software Firewall: can work, but same management requirements as #4.
6 ISA: Microsoft Internet Security and Acceleration server. Microsoft wants to sell these so the other free stuff with the server will never get much better. However, it seems to me that ISA is really designed as a firewall for corporate networks and will be a performance hit on a webserver. It costs server-type prices.
Summary:
Once a software firewall of some kind is configured and set up and working:
A) there is still a management headache and
B) there is still a performance hit on the server and
C) the level of protection is still below that of a hardware firewall.
Hardware firewalls can handle attacks that include deliberately mis-formed TCP packets (data), which come in many flavors, aka DOS (denial-of-service) attacks which don't break in but stop your server from responding to normal traffic.
Therefore, I concluded that the hardware firewall option from my vendor (in this case ServerMatrix) was worth the money just for the hands-off management payoff, and that the additional performance and features of the hardware firewall are just icing on the cake.
FYI, it took me about 5 days to gather this information via trial, error, MSDN Priority support, google newsgroups, etc. I got locked out of my server a few times<g>, and I had several stress-filled days.
I did this because I did not want to accept the often-offered advice to get a hardware firewall, without trying cheaper alternatives.
Now I understand what is behind that advice and I accept it. I now have a hardware firewall going in (until that's ready it's locked down completely).
If you want to learn IP routing, you might like to configure and run RRAS yourself, but plan to spend serious time on an ongoing basis. Otherwise, the hardware firewall cost is well-spent.
The hardware firewall can also be added as a hosting benefit to clients.
