|
|
|
 |
Single Server Security in Colocation Let me preface this question with the admission that I am being cheap.
anon b/c i am admitting i have a security hole.
ipchains/iptables under Linux.
Wayne Earl
Is a windows box. I can lock down the box pretty easily with a pix, my weakness is not knowledge, but cash, or the desire to preserve what revenue I am generating.
anon b/c i am admitting i have a security hole.
Windows 2000 servers have something called Routing and Remote Access. If you turn it on you can set up input filters which are basically like a packet filter, not quite a firewall.
Joel Spolsky (Fog Creek Software)
ipcop.org
christopher baus (www.baus.net)
So again. Windows costs more, not less.
Thought du jour.
Why don't you pay somebody a one-time fee to harden your box for you, or show you how?
suggestion
On Windows 2000 and later, if you know what you're doing, you can use IPsec to lock things down. That's what we've done (as part of defense in depth that includes an actual hardware firewall, by the way), and it works splendidly.
Brad Wilson (dotnetguy.techieswithcats.com)
This is just my observation, but if a cohost isn't particular about having you bring in a few mini routers to a dual server operation (I know, your question is about a single server operation), you might consider bringing in a mini-firewall too. They go for around the USD$500 price point coming from professional firewall companies and USD$20 from LinkSys and are just a little bit bigger than those mini 5 port routers. I am sure there is a difference in throughput and quality somewhere worth observing but for now that's for you to research.
Li-fan Chen
Brad, I know you qualified your IPSec recommendation with mentioning that it's behind a hardware firewall. I just want to point out that IPSec do little or nothing for regular services fronting on the NIC card for public services like port 80 and friends. What comes with Windows 2000 is stateless TCP/UDP port blocking if I remember correctly, and they may or may not kick into operation early enough (before services are bound) in the boot up sequency (someone correct me if I am wrong on this). IPSec WILL do wonders for remote authorized personnels running LTP+IPSec who needs secure tunneling to all authorized services. With or without IPSec, a real firewall of some sort is still critical.
Li-fan Chen
<P>You'll have to know what you are getting into paying for the $75 security tax. Is the PIX firewall shared or dedicated to protecting your NIC card?
Li-fan Chen
"I just want to point out that IPSec do little or nothing for regular services fronting on the NIC card for public services like port 80 and friends."
Brad Wilson (dotnetguy.techieswithcats.com)
A firewall? Fair enough.
fw
What type of performance hit, if any, is there on TCP/IP filtering?
I recently set a Win2K3 box up as a colo. I didn't want to fork out for the extra either so I'm just using the basic port protection that comes with 2003. Plus of course simple things like setting a SQL Server SA password!
Gwyn
Nice, Bring it on Mentality. Security is just insurance, you get what you pay for and common sense goes a long way.
I've used SecurIIS (by eEye, I think) that only lets URLS with certain patterns make it through to the IIS server. This limits buffer overflow attacks like Code Red.
Rich
Brad Wilson, you the bomb. I stand corrected.
Li-fan Chen
|
