[SASAG] Windows Servers firewall question
jeffsilverm at gmail.com
Thu Apr 9 23:31:38 PDT 2009
Lap Huynh wrote:
> At my previous company we disabled Windows firewall on our servers.
> However, at my current company we turn on windows firewall. My opinion
> is that we don't need to turn on Windows Firewall if we already have
> hardware firewall. Of course, reading on Microsoft technet it says we
> should turn on Windows firewall even with hardware firewall. Does
> Cisco or any other vendor suggest turning off that feature?
A firewall is good for things that firewalls are good for. If you have
services with public IP addresses that are listening on tcp port 135,
then you are vulnerable to attack. A firewall will protect those ports
from attack. A good firewall will also do network address translation,
so that you can setup your computers with RFC 1918 private IP
addresses. The Windows firewall will only protect the computer it is
running on, so your other machines are still vulnerable. And you can't
use RFC 1918 private IP addresses with Windows Firewall unless you have
some other Network Address Translator between the server and the internet.
Now, a firewall will stop things from attacking tcp port 135 (if you
program it to), but it will not stop things from attacking tcp port 80,
which is what your webserver is listening to. If some bad guy sends you
a malformed HTTP query that crashes your server, the firewall will pass
it. So your firewall is important but not complete - you have to make
sure that your applications are hardened and that your operating system
F5 networks makes no official recommendation about Windows Firewall, but
those of us who work with the Local Traffic Manager (LTM) sneer at it.
A waste of CPU cycles. We also make an add-on, called the Application
Security Module (ASM), which *will* protect you from malformed HTTP queries.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Members