gemcneill Posted October 20, 2008 Share Posted October 20, 2008 Just wondering what firewalls everyone are using for windows 2003. Are people just running wide open or using the built in firewall or using a different one. Also if any of you could be so kind to list all the port exceptions you are making with the firewalls. Thanks in advance. Link to comment Share on other sites More sharing options...
studeggle Posted October 20, 2008 Share Posted October 20, 2008 CISCO hardware firewalls, different ones at different sites but always the ASA models. I prefer seporate hardware for security, that way I don't tie up machin resources, and if I have a particulaly pesky IP one ban takes care of it instead of having to add the ban on 10 or so machines. Link to comment Share on other sites More sharing options...
ECF Posted October 20, 2008 Share Posted October 20, 2008 +1 for Hardware Firewalls! They work the best! Link to comment Share on other sites More sharing options...
rich835 Posted October 20, 2008 Share Posted October 20, 2008 Maintaining the rulebase on a HW firewall surely is not practical in this environment. Manually creating a rule to allow a port through each time you install/uninstall a customer game server? Link to comment Share on other sites More sharing options...
KingJ Posted October 20, 2008 Share Posted October 20, 2008 The only problem with hardware firewalls is cost. Under windows however, you can use the built in firewall for opening ports and IPSEC policies to block IP addresses. Linux users should be familiar with iptables. Link to comment Share on other sites More sharing options...
studeggle Posted October 20, 2008 Share Posted October 20, 2008 Maintaining the rulebase on a HW firewall surely is not practical in this environment. Manually creating a rule to allow a port through each time you install/uninstall a customer game server? Not realy, you should have a plan for the games (and hence the ports) that will be installed on each machine. It poses limited risk to have a few ports per machine open for game use, even when they are not actively in use. Add to this, it is possible, at least with the CISCO ASA firewalls to script rule adjustments, just like you do for windows firewalls. Yes, cost is a consideration. For the company on a tight budget I would sugest looking into setting up a linux machine as a firewall (doesn't require much of a machine), this can be done and is close to as effective as actual hardware firewall. Personally I would NEVER trust windows firewall to keep my machines secure! Link to comment Share on other sites More sharing options...
HIS-MOTHER Posted October 21, 2008 Share Posted October 21, 2008 Harden a windows box properly and no firewall is neccesary. Takes all of 30-50 minutes to re-image a box and put clients back online should something happen. Breeches come from mismanaged machines not hackers. Link to comment Share on other sites More sharing options...
rich835 Posted October 21, 2008 Share Posted October 21, 2008 Running without a firewall is way too risky, no matter how hardened the box is. We had a situation where our AV checker had an exploit a year ago via an open port, and this allowed a malicious person to cause problems on the box. No amount of hardening would've stopped that, but if the port was blocked it would have. Follow this knowledgebase atricles and use the built-in Windows Firewall: https://esupport.tcadmin.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=21&nav=0,3 We've modified ours slightly though, to unblock/block the port only, rather than the exe: Install Script: netsh firewall add portopening UDP %serverport% %serverip%_%serverport% ENABLE Uninstall Script: netsh firewall del portopening UDP %serverport% with our testing, we discovered that UDP was adequate for most games, but some required TCP. Then you're fully automated and it hasn't cost a bean. Hope this helps Link to comment Share on other sites More sharing options...
gemcneill Posted October 21, 2008 Author Share Posted October 21, 2008 Thanks Rich835 for the info , as well as the other posters. Since I have 1u setups I cant just add a hardware firewall to the boxes I have. I would love to but that will have to wait until I get big enough to have cabinets. As for these setting, as I understand what you have posted, you are blocking all traffic on the windows firewall and when a game is installed an exception is made at that time. When the game server is deleted it removes the exception. How would one go about doing this with game servers that already exist. I guess you could just create the script, enable the firewall to block all traffic, but tcadmin and remote desktop and then some how run a mass script making the exceptions? Also does the windows firewall add much load to your server? ***EDIT**** Also HIS-MOTHER, on hardening a box, is this really possible on a windows box. I know you can strip down alot of things that you dont need (i.e. services and such) but do you have method that you use from personal experience or is there a guide some where to make sure I cross my i's and dot my t's so I dont miss anything. George Link to comment Share on other sites More sharing options...
rich835 Posted October 21, 2008 Share Posted October 21, 2008 Well we manually added the exceptions on our existing game servers, before we implemented the scripts. At the time we only had about 40 or so to do, so it wasn't too bad. If you make sure you set the Name for each rule as the TC script would've done it, then they will get removed when the game server is deleted no problem. You will also need to add the following rule exceptions: Port 21 TCP for the FTP Service Port 80 TCP on your Master Server for web access to TCAdmin All the following Ports on all Masters and Remotes, which TCAdmin seems to need: 8888 (for the Monitor) 81,82,83,84,85 Also consider anything you might be using for Remote Desktop Access depending on your solution. This may require an open port. This link is very handy for giving you some pointers on adding rules in bulk: http://www.newagedigital.com/cgi-bin/newagedigital/articles/ms-firewall-ftp.html Remember also, if you are hosting Teamspeak, then TCAdmin can't run install/uninstall scripts when they are created. In our case, we simply unblocked a range of ports in readiness. As far as hardening the box goes, if you follow the recommendations produced by running the Microsoft Baseline Security Analyser (google it to download the latest version, I think it's 2.1), then you're pretty much covered. We also block ICMP Ping requests to our Servers. This doesn't stop game browsers seeing the game servers, but it does mean that people can't ping it directly from a command prompt etc. If the hackers can't ping it then it's less visible of course. After doing all this, our logs show far less ftp connection attempts etc, and we sleep a lot easier. Well worth the effort in my opinion. Running the Windows Firewall adds no noticeable load to the Servers. For real peace of mind, you might be able to get a friendly security company to run a Nessus scan on your boxes for you. This will highlight anything untoward. Link to comment Share on other sites More sharing options...
Johnny5_Hull Posted March 7, 2009 Share Posted March 7, 2009 Cisco 5510's here, in addition to windows firewalls on the servers themselves..... well the windows ones anyway Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.