Securing your webserver

[PaulK]

Hi Guys,

This morning at 6am AWS went down, Zone Alarm Pro suddenly decided that my local network was unknown. For me, this is the last straw with ZA. Everytime I reboot, I have to go through pages of clicking saying that the network is trusted, that my applications should be allowed to access the network etc etc. What a useless product.

So i would like to know what you guys use to protect your own webserver environments.

My current thinking is to use virtual PC without any kind of firewall and run AWS from their. I back the entire server up every night and any sign of trouble I can just reload the last good version.

This sounds great to me, but what I am worried about is that there may be an attack happening which doesn't give any sign, and I will think everything is ok. Whichn leads me back to firewalls, are they a neccessary evil? Which is the best?

Thanks for your thoughts
Paul

(PS Zone Alarm Killed my server this morning, so sig not working right now)
_________________

[Mikor]

I use Comodo firewall, its great, although over the first few weeks it needs a bit of clicking to 'learn' what is and isnt allowed.
_________________
Yarrt.com - Free Arcade
RypNet.co.uk - Online Game
MSN: michael_walker_2004 <at> hotmail <dot> com

[olly86]

I use Kerio Personal Firewall, again it needs to "learn" what is and isn't allowed. Although I think it's now Sunbelt Kerio Personal Firewall.
_________________
Olly

[hc2995]

i just use windows firewall with exceptions, iv never had any problems :D
_________________
Where have i been? School got heck-tick, had to move half way around the state, then back... and then i had to change jobs, so iv been away for a while :P

[PaulK]

So it seems the general concensus is that a firewall is required. no-one tried the virtual pc route.

I think you might be right, I have posted a moan on teh zone alarm forums.

Paul
_________________

[Riax]

I use Sygate Personal Firewall 5.6 as well as McAfee Personal Firewall Plus on my own computer. For my server, I only have McAfee installed, mainly because the new version of McAfee Security Center allows me to control all networked computers' security software remotely from my own desktop, therefore eliminating the need for me to actually be at the server (or other system).

Sygate was aquired by Symantec, who sell the Norton line of security products. The last free version of Sygate is 5.6, which is really a shame; Sygate was (and still is) one of the best software firewalls I've used. If I'm not mistaken, OldVersion has it in their downloads database, but if I'm wrong, you can find it on my fileserver in both *.zip and *.rar formats. :)

[PaulK]

Thanks for the tip Riax
_________________

[Riax]

[Lawrence]

I recommend BrazilFW, a single-floppy Linux firewall that runs on any old PC (486 or better, Pentium 1+ preferred) with a floppy drive and two network cards.

It's bombproof, I've been using it for over five years, and no one's ever hacked me through it.

I don't trust Windows-based firewalls, personally. How can you really trust a software firewall that runs on the OS it's trying to protect? If the OS can't protect itself, how can software running on that OS do it? (never mind that it seems to work, I don't trust it!).

Friends of mine also swear by the M0n0 firewall, which I've never used. It'll run on similar hardware but requires a HD or Flash drive.

Even if you have to buy the hardware, you can get two new network cards for $20 and a crappy old HD-less PC for $peanuts. Web-based admin, easy config and setup, windows-based floppy creator... It's like a cheap easy-to-use router.

Which is another option - if you're using a decent router/NAT it's already got a firewall in it, and your Windows firewall is redundant. Forward the ports you need and you're done.

[loloyd]

Hi PaulK, I also suggest Sygate Personal Firewall 5.6. It may be aging but it still does what you need it to do and does those things only. Having been a grc.com reader for quite some time, I have been satisfactorily immersed in the amazing world of intrusion detection, exploitation and defense armed with my ever-reliable copy of Sygate Personal Firewall.

At the very least, I've never experienced those symptoms you just described with your experience in ZoneAlarm. There had been lots of third party reviews pitting Sygate against Kerio, ZoneAlarm, Outpost, etc. but I base choice on personal tests and experiences. In one review as I remember (but forgot what site), Outpost virtually topped every firewall tested but still, I settled on Sygate upon my tests.

Mainly, I like Sygate's resource-friendliness, reliability, fairly ease of use and stability. And with my router's NAT, only power loss becomes much of an enemy.

Btw, Riax, I can't access your fileserver.
_________________

http://home.loloyd.com/ is online if the logo graphic at left is showing.

[Riax]

I've also tried other firewalls, and still Sygate gets my vote as well.

The fileserver has been down a lot recently. I don't actually host it, so if it gets shut down, I can't bring it online again myself. The host tells me it's because there have been a lot of updates for Windows Server 2003, as automatic updates were disabled before the attack for some reason (which happens to be why the attacker was able to get in - through a vulnerability in the server service that was fixed by a security patch). He claims that it's never been shut down, it's just that it reboots a lot (I still don't know if I believe that).