[SASAG] Windows Servers firewall question

Jeff Silverman jeffsilverm at gmail.com
Thu Apr 9 23:31:38 PDT 2009

Lap Huynh wrote:
> At my previous company we disabled Windows firewall on our servers. 
> However, at my current company we turn on windows firewall. My opinion 
> is that we don't need to turn on Windows Firewall if we already have 
> hardware firewall. Of course, reading on Microsoft technet it says we 
> should turn on Windows firewall even with hardware firewall. Does 
> Cisco or any other vendor suggest turning off that feature?
> Thanks,
A firewall is good for things that firewalls are good for.  If you have 
services with public IP addresses that are listening on tcp port 135, 
then you are vulnerable to attack.  A firewall will protect those ports 
from attack.  A good firewall will also do network address translation, 
so that you can setup your computers with RFC 1918 private IP 
addresses.  The Windows firewall will only protect the computer it is 
running on, so your other machines are still vulnerable.  And you can't 
use RFC 1918 private IP addresses with Windows Firewall unless you have 
some other Network Address Translator between the server and the internet.

Now, a firewall will stop things from attacking tcp port 135 (if you 
program it to), but it will not stop things from attacking tcp port 80, 
which is what your webserver is listening to.  If some bad guy sends you 
a malformed HTTP query that crashes your server, the firewall will pass 
it.  So your firewall is important but not complete - you have to make 
sure that your applications are hardened and that your operating system 
is hardened.

F5 networks makes no official recommendation about Windows Firewall, but 
those of us who work with the Local Traffic Manager (LTM) sneer at it.  
A waste of CPU cycles.  We also make an add-on, called the Application 
Security Module (ASM), which *will* protect you from malformed HTTP queries.

Jeff Silverman

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sasag.org/pipermail/members/attachments/20090409/4dfb8410/attachment.html>

More information about the Members mailing list