I am running a WIndows 2003 server on my home LAN. Basically I just use it for files, Active Directory, and SQL Server. I am also considering using it for an internal mail server, and print server. It is already behind my Smoothwall box, as is the rest of my LAN.

Now I normally put Sygate Personal Firewall on all of my systems. I really started thinking about the purpose of having it installed on a server thogh. All it will do is alert me to traffic going outbound. This could be useful in a general system because 1) you would be able to see the message, and 2) you would know if you were sending something out or not. This isn't necessarily true for a dedicated server.

Also a software firewall is most useful on things that might have gotten installed on your system without permission, and try to send information over the internet. These things will usually be installed by visting some website, downloading some file, or some other user action. So I started to think that running a software firewall on a dedicated server is a waste of time. If I am never actually logged into it, except to do updates or managment, and even then never use the web browser, what good does it do me?

I would like to hear some other thoughts on this, in terms of security. I currently feel that it isn't really a risk, would you agree?

I am running a WIndows 2003 server on my home LAN. Basically I just use it for files, Active Directory, and SQL Server. I am also considering using it for an internal mail server, and print server. It is already behind my Smoothwall box, as is the rest of my LAN.

Now I normally put Sygate Personal Firewall on all of my systems. I really started thinking about the purpose of having it installed on a server thogh. All it will do is alert me to traffic going outbound. This could be useful in a general system because 1) you would be able to see the message, and 2) you would know if you were sending something out or not. This isn't necessarily true for a dedicated server.

Also a software firewall is most useful on things that might have gotten installed on your system without permission, and try to send information over the internet. These things will usually be installed by visting some website, downloading some file, or some other user action. So I started to think that running a software firewall on a dedicated server is a waste of time. If I am never actually logged into it, except to do updates or managment, and even then never use the web browser, what good does it do me?

I would like to hear some other thoughts on this, in terms of security. I currently feel that it isn't really a risk, would you agree?

A software firewall can notify you of attacks inbound. Including signs of possibly a DoS attack, such as a port scan.

But so does Smoothwall, and really you shouldn't be able to scan my internal network with my Smoothwall box up and running. Any port scan attempt will be stopped by the Smoothwall, and logged there before ever reaching the internal server. Also I have no ports open on this server to the outisde world, it is 100% internal LAN.

But so does Smoothwall, and really you shouldn't be able to scan my internal network with my Smoothwall box up and running. Any port scan attempt will be stopped by the Smoothwall, and logged there before ever reaching the internal server. Also I have no ports open on this server to the outisde world, it is 100% internal LAN.

The good software firewalls do block inbound attack-related packets. But, if you have a hardware firewall setup, go for it.

I'm currently required to use a software firewall, because I don't have broadband yet. (out in the boonies)

I was reading on the smoothwall about this guy who was getting ddos'ed

http://community.smoothwall.org/forum/viewtopic.php?t=15294&highlight=dos

Basically the smoothwall will take the brunt of it. The smoothwall will protect against all inbound attacks because it's deisgned to not let any unrequested traffic through. The problem is if you have something on your server such as a trojan or your machine gets like lets say some worm turning it into a zombie for other DoS attacks then your smoothie is gonna let all that stuff out and spread over the internet. But if you are sure your server is clean then there really isn't a need for a software firewall.

I was reading on the smoothwall about this guy who was getting ddos'ed

http://community.smoothwall.org/forum/viewtopic.php?t=15294&highlight=dos

Basically the smoothwall will take the brunt of it. The smoothwall will protect against all inbound attacks because it's deisgned to not let any unrequested traffic through. The problem is if you have something on your server such as a trojan or your machine gets like lets say some worm turning it into a zombie for other DoS attacks then your smoothie is gonna let all that stuff out and spread over the internet. But if you are sure your server is clean then there really isn't a need for a software firewall.

not entirely true, unless the trojan uses UPnP configuration, and your router is enabled for it, the attacker cannot contact your computer, the port has to be open on your router.

unless the trojan is something that will connect itself to a remote server ...irc or something else the attacker can't reach it to start a zombie attack

I have my Smoothwall locked down as tight as possible, all ports are stealthed. Also no pinholes, or anything else opened for any reason.

I am certain my server is clean. All I did was just install Windows 2003 server directly from MS CD, SQL Server 2000 from MS CD, and go to Windows Update to grab all the updates. Other than that I have done no other installs, just configuring it as a file and domain server. Also I run Spybot, AVG, and Syagte on all client PCs. I feel pretty safe without running a software firewall on the server.

Considering software firewalls are at least 50% useless for serious firewalling: don't bother.
On desktops they're just a crutch cause they're better than nothing, but on a server where you aren't supposed to install stuff nilly-willy, they're not needed.

I think a lot of people mistakenly assume something along the lines of:

software firewall = rubbish
hardware firewall = complete protection

i think that hardware firewalls are better, not because of intrinsically greater security, but because they are big chunky machines that are very fast at stateful packet filtering on big bandwidth connections, even with multiple cores and hyperthreading software firewalls just can't match this (and still give you a machine that is useful for anything else). You probly also want some kind of firewall doing application layer inspection and making sure that no specified sensitive data makes it out of the network. I would always go for both software and harware solutions, rather than buying some fancy CISCO box and assuming that I was secure. 'must be ok, i hear they make the internet you know' :)

one other point

I don't know about Sygate, but a lot of personal firewall and av software can't be installed under windoze server, it asks you to go buy an overpriced server edition.

Any decent "hardware-firewall" runs some sophisticated software to do both, stateful packet and application layering firewall.

Also, a dedicated Linux box running as a firewall (like smoothwall) with iptables is a gazillion times better than your desktop distro running the exact same iptables scripts. Why? cause the former is on it's own machine, and the other runs on the same machine it's supposed to protect. That is why "software-firewalls" are crappy: any vulnerability of the machine it runs on, renders it moot. A dedicated firewall is much more secure cause it's harder to compromise a machine only via the firewall and network stack itself.

First of all The free Sygate edition installed just fine on Windows Server 2003. I was running the trial edition while waiting for MS to get around to shipping me my partner software. I then had it installed and running just fine. When I got my regular license software I needed to format, and never reinstalled the software firewall.

The one thing that is a pretty big PITA is setting it up at first. In order to allow everything to work properly I needed to sit there in the server while running various things on client machines. Then as the various requests from the client PCs were made I needed to tell it to allow those applications access. No software firewall means I don't need to do that.

I understand the whole thing of having a firewall running on a seperate machine is supposedly the most secure method, as it won't be subject to any virus or attack on the machine it is trying to protect. That is part of the reason I run a Smoothwall. I also feel though that for most end user PCs a software firewall is an extra helpful step in protecting the network.

The only real way it helps is by telling you what is trying to enter or leave the computer that hasn't been initiated by you. This can help you catch some malicious program trying to phone home. Only on a server I wouldn't see the message warning me it is trying to access the net. Also the only way that this software gets installed, AFAIK is by having infected files downloaded, visiting infected websites, or through email. All software installed on a server is scrutinized carefully for any malware, and choosen carefully. Generally servers won't (shouldn't be) used for web browsing or email. So I am wondering how exactly, on a properly managed and used server, these things could get in? Especially if it is behind a secure hardware firewall performing NAT. As far as I can tell there really is no way for something to get on that computer, unless of course someone is really intent on just getting through.

because many people use a server on a mini home network differently to how they would an ultra secure corporate machine.

I think a lot of people mistakenly assume something along the lines of:

software firewall = rubbish
hardware firewall = complete protection

i think that hardware firewalls are better, not because of intrinsically greater security, but because they are big chunky machines that are very fast at stateful packet filtering on big bandwidth connections, even with multiple cores and hyperthreading software firewalls just can't match this (and still give you a machine that is useful for anything else).

I agree, because Sygate, Kerio and SoftPerfect (not well known, but appears to be the smallest in size) are good, because they all passed the Shields Up! tests when configured properly. Stealth ports are required for Shields Up! to pass! If the ports weren't stealthed, then it's likely that an application ends up getting exploited.

That may cause an application crash. I already know that a virus can crash a service!

That's why you get a notification of a reboot because of a service terminating unexpectedly. (That message isn't from a virus. That message is from Windows, because a virus managed to crash a system service and by default, Windows is set to notify about the fact that it's going to reboot and then reboot in 60 seconds or less)

It also possible for Windows to crash. A Windows crash probably would be caused by a virus exploiting a kernel process.

Any suggestion for a software firewall? I'm thinking to run a dual P2 linux box as firewall, is that more safe? Thanks

Well I think that really the whole point is that software and hardware firewalls are two different things entirely. A hardware firewall basically lets anything out, but filters incoming traffic to just what was requested. A software firewall will explicitly ask permission for anything to leave. Which is why I don't really feel a software firewall is needed on a dedicated server if run properly.

I think that a duallie would probably be a bit much for a dedicated Linux based firewall. It can't hurt, but it is sort of a waste of a good server. And I don't really like the idea of my "dedicated" firewall box doing anything else, thus the term dedicated. The more applications and services you have running the greater the possiblity of an exploit. If all that is running is a harened Linux skeleton then it takes real brains and determination to break in.

Any suggestion for a software firewall? I'm thinking to run a dual P2 linux box as firewall, is that more safe? Thanks

just smack smoothwall on an old pentium 1 rather than wasting a p2 dually. you could probly dig up an old baby at p1 box for next to nothing and use the p2 as something more useful and servery.

A hardware firewall basically lets anything out, but filters incoming traffic to just what was requested.

Thats far from true. You can block outgoing traffic on most hardware firewalls. I had a Watchguard box set up to block all outgoing traffic beside http for our dhcp assigned range at a previous job of mine. You just have to configure rules.

Depends on the firewall really. I was just saying that at the most basic level a hardware firewall will block unsolicited incoming requests by default. Just as at the most basic level a software firewall will just block outgoing traffic that hasn't been explicitly allowed. Sure if you have the right software or hardware and the knowledge the lines can get very blurry.

Stealth ports are required for Shields Up! to pass! If the ports weren't stealthed, then it's likely that an application ends up getting exploited.

can you tell me what a "stealthed" port is?