Fog Creek Software
Discussion Board




Single Server Security in Colocation

Let me preface this question with the admission that I am being cheap. 

I have a single server that I am about to deploy in a collocation facility.  I am trying to avoid paying for their PIX firewall, (@$75.00 a month.)  Is there a software firewall that is robust enough that can sit on the same server as the Web/SQL/Application server that it would need to protect.  I have changed all the default ports, but that alone isn’t enough.

I’ll pay the $75, if there is not another viable alternative, but welcome any suggestions.

anon b/c i am admitting i have a security hole.
Saturday, January 31, 2004

ipchains/iptables under Linux.

ipf under *BSD.

Dunno about Windows. Perhaps ZoneAlarm? You didn't specify the platform.

Actually (this might seem a bit harsh, but that is not my intention - just a statment based on my experience), your biggest security hole is your apparant lack of security knowledge, not necessarily your lack of a firewall.

Wayne Earl
Saturday, January 31, 2004

Is a windows box.  I can lock down the box pretty easily with a pix, my weakness is not knowledge, but cash, or the desire to preserve what revenue I am generating.

anon b/c i am admitting i have a security hole.
Saturday, January 31, 2004

Windows 2000 servers have something called Routing and Remote Access. If you turn it on you can set up input filters which are basically like a packet filter, not quite a firewall.

Joel Spolsky (Fog Creek Software)
Saturday, January 31, 2004

ipcop.org

christopher baus (www.baus.net)
Saturday, January 31, 2004

So again.  Windows costs more, not less.

Thought du jour.
Saturday, January 31, 2004

Why don't you pay somebody a one-time fee to harden your box for you, or show you how?

suggestion
Saturday, January 31, 2004

On Windows 2000 and later, if you know what you're doing, you can use IPsec to lock things down. That's what we've done (as part of defense in depth that includes an actual hardware firewall, by the way), and it works splendidly.

Brad Wilson (dotnetguy.techieswithcats.com)
Saturday, January 31, 2004

This is just my observation, but if a cohost isn't particular about having you bring in a few mini routers to a dual server operation (I know, your question is about a single server operation), you might consider bringing in a mini-firewall too. They go for around the USD$500 price point coming from professional firewall companies and USD$20 from LinkSys and are just a little bit bigger than those mini 5 port routers. I am sure there is a difference in throughput and quality somewhere worth observing but for now that's for you to research.

Li-fan Chen
Sunday, February 01, 2004

Brad, I know you qualified your IPSec recommendation with mentioning that it's behind a hardware firewall. I just want to point out that IPSec do little or nothing for regular services fronting on the NIC card for public services like port 80 and friends. What comes with Windows 2000 is stateless TCP/UDP port blocking if I remember correctly, and they may or may not kick into operation early enough (before services are bound) in the boot up sequency (someone correct me if I am wrong on this). IPSec WILL do wonders for remote authorized personnels running LTP+IPSec who needs secure tunneling to all authorized services. With or without IPSec, a real firewall of some sort is still critical.

Li-fan Chen
Sunday, February 01, 2004

<P>You'll have to know what you are getting into paying for the $75 security tax. Is the PIX firewall shared or dedicated to protecting your NIC card?

<P>Will they put in the time to upgrade all firewalls with patches? Maybe $75 is a great deal if you are too lazy to patch your firewalls? Do you prefer to read hours of documentations to understand a new exploit that's flooding your server RIGHT NOW or call them up knowing they are familiar with adding that one IOS command that will just plug it?

<P>Not often asked: A dedicated firewall? The custom ASICs/fabrics firewalls depend on have thru-put limits, figure out if they promise to out do what you can pump out via web protocols or receive via mail protocols (and secured ftp and ipsec). Did they get enough firewall oomph to do anything for your busy servers?

Li-fan Chen
Sunday, February 01, 2004

"I just want to point out that IPSec do little or nothing for regular services fronting on the NIC card for public services like port 80 and friends."

Sorry, that's not true. IPsec is layers below any service, an integrated part of the IP stack.

Brad Wilson (dotnetguy.techieswithcats.com)
Sunday, February 01, 2004

A firewall? Fair enough.

Windows already has port filtering built in if that's what you want. But no firewall is going to protect you if you're using IIS for example with 100000 holes in it.

Don't trust a firewall for security, it's a step, a feature, and not even a great one. I like to put out boxes which I have to secure, and no rely on some firewall.

For example, make mssql listen on 127.0.0.1 only, and let your app connect to that. Make sure you stay up to date with anything that is open, get on announce lists for everything that is open.

I've seen so many people piss away so much money on retarded things like firewalls, and still run a default out of the box IIS 4 webserver.

fw
Sunday, February 01, 2004

What type of performance hit, if any, is there on TCP/IP filtering? 


Sunday, February 01, 2004

I recently set a Win2K3 box up as a colo. I didn't want to fork out for the extra either so I'm just using the basic port protection that comes with 2003. Plus of course simple things like setting a SQL Server SA password!

I've only got the absolute minimum of ports open, but this includes VPN so that I can use Remote Admin over that.

The server is not a life or death thing for me right now so I'm happy to see it get hacked. At least I can learn from that so that when I do put important stuff on it it'll be better protected.

Anyone on this list who wants to can 'have a go' at it: 80.82.141.141. But please leave a calling card rather than trashing it!

Gwyn
Sunday, February 01, 2004

Nice, Bring it on Mentality.  Security is just insurance, you get what you pay for and common sense goes a long way.


Sunday, February 01, 2004

I've used SecurIIS (by eEye, I think) that only lets URLS with certain patterns make it through to the IIS server.  This limits buffer overflow attacks like Code Red.

Rich
Sunday, February 01, 2004

Brad Wilson, you the bomb. I stand corrected.

Li-fan Chen
Saturday, February 07, 2004

*  Recent Topics

*  Fog Creek Home