IPSec Firewall/ Windows 2000 Server

AFter visiting this site 1 time, it became my homepage!

My home network is behind a Sony NAT Router. I am trying to lock down my server in preparation for web hosting. IS the IPSec firewall that I can configure through MMC good enough? I want more flexibility, by being able to puch through the wall when I need to and turn off all else when they are not in use. I don't want a personal firewall always running in memory plus I want to learn more about Windows SErver.


Here is the article that I found, any help would be appreciated!
homepages.wmich.edu/~mchugha/w2kfirewall.htm

If its flexibility that you want then this is not a good solution, you'd be better off doing your filtering at the router (if it allows this) or putting up a proper firewall. If you insist on using a Microsoft product then you should try using ISA server
www.microsoft.com/isaserver/

Which is supposed to be very flexible and easy to set up.

One thing you should understand is that either way it will run in memory.. even Window's builtin firewall systems use memory.. you cant run a service or program without using memory.
Personal firewalls have matured quite a bit, allowing you to write your own custom rules etc, and they don't have such a large memory footprint.. right now Zonealarm on my machine is using a mere 2MB RAM..

If you have the money for a cheap little box that you can put just behind your router then think of using Smoothwall ( www.smoothwall.org ) its a snap to set up, can run on a lower end machine, runs a stripped down kernel, and does nothing other than firewall.. which is what you should ideally do if you're thinking about providing some public service such as web hosting.

two reasons for that:
a. Any firewall built on top of Windows automatically inherits all the vulnerabilities present in the base o/s, running smoothwall on a totally stripped linux kernel nullifies that problem.

b. You don't want to load down the machine that is providing hosting services by making it do the filtering itself. For performance issues it would be much better to try and get the router to do it, or have a dedicated box that does the firewalling -- this is the best practice way of doing things.

Cheers

Thanks Sahirh. I have thought about running Smoothwall. I think you made very good points for using it. I guess I just wanted something that would help me understand what services use what ports and to just get a better hands on in prep for MCSE exams. My router supports port forwarding but not filtering.

As a precaution, would it be wise to forward ports that well known viruses use to a bogus ip address? I am trying to understand port forwarding. Will that help, if it is even possible?

technosavvy.. port forwarding is not meant for what you were suggesting.. and thats not really a good idea.. it doesnt really make sense to try and forward lets say port 139 requests to some bogus ip.. you'll just give your router more work to do..

just filter the ports using a firewall.. I recommend ISA server for you since you're interested in Microsoft products.. its been awhile since I looked at MCSE Curriculum, but I dont think that firewall configuration is in any of the exams is it ?

Hi

If you are not stirct on M$ then consider using Coyote Linux. Nice & easy to setup, and nothing much to strip down further on that

Regards
Cheetah

I agree with Cheetah go coyote ,

Hum that’s strange that your router does not come with filtering, but if you don’t mind spending some $$ you should get a stand alone firewall product. I have no idea what your price range is but there are some pretty good products for a reasonable price.

But if it comes down to the cheapest solution, you should just do what Cheetah said, get an old machine and use Coyote Linux. Since I'm sure a lot of us have used it, we will be very helpful if you have trouble using it.