Jump to content

Firewall settings


gemcneill

Recommended Posts

Just wondering what firewalls everyone are using for windows 2003. Are people just running wide open or using the built in firewall or using a different one. Also if any of you could be so kind to list all the port exceptions you are making with the firewalls. Thanks in advance.

Link to comment
Share on other sites

CISCO hardware firewalls, different ones at different sites but always the ASA models. I prefer seporate hardware for security, that way I don't tie up machin resources, and if I have a particulaly pesky IP one ban takes care of it instead of having to add the ban on 10 or so machines.

Link to comment
Share on other sites

Maintaining the rulebase on a HW firewall surely is not practical in this environment.

Manually creating a rule to allow a port through each time you install/uninstall a customer game server?

 

Not realy, you should have a plan for the games (and hence the ports) that will be installed on each machine. It poses limited risk to have a few ports per machine open for game use, even when they are not actively in use.

 

Add to this, it is possible, at least with the CISCO ASA firewalls to script rule adjustments, just like you do for windows firewalls.

 

Yes, cost is a consideration. For the company on a tight budget I would sugest looking into setting up a linux machine as a firewall (doesn't require much of a machine), this can be done and is close to as effective as actual hardware firewall.

Personally I would NEVER trust windows firewall to keep my machines secure!

Link to comment
Share on other sites

Running without a firewall is way too risky, no matter how hardened the box is.

We had a situation where our AV checker had an exploit a year ago via an open port, and this allowed a malicious person to cause problems on the box.

 

No amount of hardening would've stopped that, but if the port was blocked it would have.

 

Follow this knowledgebase atricles and use the built-in Windows Firewall:

https://esupport.tcadmin.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=21&nav=0,3

 

We've modified ours slightly though, to unblock/block the port only, rather than the exe:

 

Install Script:

netsh firewall add portopening UDP %serverport% %serverip%_%serverport% ENABLE

 

Uninstall Script:

netsh firewall del portopening UDP %serverport%

 

with our testing, we discovered that UDP was adequate for most games, but some required TCP.

 

Then you're fully automated and it hasn't cost a bean.

Hope this helps :)

Link to comment
Share on other sites

Thanks Rich835 for the info , as well as the other posters. Since I have 1u setups I cant just add a hardware firewall to the boxes I have. I would love to but that will have to wait until I get big enough to have cabinets. As for these setting, as I understand what you have posted, you are blocking all traffic on the windows firewall and when a game is installed an exception is made at that time. When the game server is deleted it removes the exception. How would one go about doing this with game servers that already exist. I guess you could just create the script, enable the firewall to block all traffic, but tcadmin and remote desktop and then some how run a mass script making the exceptions? Also does the windows firewall add much load to your server?

 

***EDIT****

 

Also HIS-MOTHER, on hardening a box, is this really possible on a windows box. I know you can strip down alot of things that you dont need (i.e. services and such) but do you have method that you use from personal experience or is there a guide some where to make sure I cross my i's and dot my t's so I dont miss anything.

 

 

 

George

Link to comment
Share on other sites

Well we manually added the exceptions on our existing game servers, before we implemented the scripts. At the time we only had about 40 or so to do, so it wasn't too bad. If you make sure you set the Name for each rule as the TC script would've done it, then they will get removed when the game server is deleted no problem.

 

You will also need to add the following rule exceptions:

Port 21 TCP for the FTP Service

Port 80 TCP on your Master Server for web access to TCAdmin

All the following Ports on all Masters and Remotes, which TCAdmin seems to need:

8888 (for the Monitor)

81,82,83,84,85

 

Also consider anything you might be using for Remote Desktop Access depending on your solution. This may require an open port.

 

This link is very handy for giving you some pointers on adding rules in bulk:

http://www.newagedigital.com/cgi-bin/newagedigital/articles/ms-firewall-ftp.html

 

Remember also, if you are hosting Teamspeak, then TCAdmin can't run install/uninstall scripts when they are created. In our case, we simply unblocked a range of ports in readiness.

 

As far as hardening the box goes, if you follow the recommendations produced by running the Microsoft Baseline Security Analyser (google it to download the latest version, I think it's 2.1), then you're pretty much covered.

 

We also block ICMP Ping requests to our Servers. This doesn't stop game browsers seeing the game servers, but it does mean that people can't ping it directly from a command prompt etc. If the hackers can't ping it then it's less visible of course.

 

After doing all this, our logs show far less ftp connection attempts etc, and we sleep a lot easier.

Well worth the effort in my opinion.

 

Running the Windows Firewall adds no noticeable load to the Servers.

 

For real peace of mind, you might be able to get a friendly security company to run a Nessus scan on your boxes for you. This will highlight anything untoward.

Link to comment
Share on other sites

  • 4 months later...

Archived

This topic is now archived and is closed to further replies.

  • Who's Online   0 Members, 0 Anonymous, 24 Guests (See full list)

    • There are no registered users currently online
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Terms of Use