Which one do you use? If anyone could point me a URL where step by step guide on how to set up Windows firewall on 2003 (native one for start) I would be appreciated.

N_F_S

Please don't use software firewall on Win2003. Learn from our experience these past two weeks :) The software firewall will crippled everything down under moderate DDOS attack. In fact, it caused more problem that the attacks itself. It brought the whole server to snail pace, packet losses, etc. The moderate DDOS attack was even better than having the firewall turned on.

Firewalls do more than block DDoS. I think a firewall on W2k3 boxes are important for blocking other worms, etc...not attacks.

Yeah, anyone who thinks a Software based firewall running on the machine will work against a DDos, is not looking at the issue at a whole, typically a DDos attack is not something you want a Software based firewall on the server (by on the server I mean not a dedicated Firewall box running Linux, etc). If anything in Ddos attack scenario you are helping your attacking take your services offline.

There are several plus's about software based firewalls on the server, but then there are also real needs for a Hardware firewall as well. Depends on your level of threat...

Originally posted by Daver
Yeah, anyone who thinks a Software based firewall running on the machine will work against a DDos, is not looking at the issue at a whole, typically a DDos attack is not something you want a Software based firewall on the server (by on the server I mean not a dedicated Firewall box running Linux, etc).


Dedicated Firewall box on a FreeBSD/Linux works much better than dedicated Firewall box on a Windows OS. Both are software based firewall. The software is not the problem, the OS is.




If anything in Ddos attack scenario you are helping your attacking take your services offline.


Easy to say when you may not have experienced what we went through. What happens when the IP target is the shared IP, which is shared by perhaps hundreds of customers/websites? It's not as easy as removing/null routing one particular customer IP, is it?


There are several plus's about software based firewalls on the server, but then there are also real needs for a Hardware firewall as well. Depends on your level of threat...

Our dedicated firewall running FreeBSD/IPFW was able to handle hundreds of millions packets during the DDOS period, without even sweating at all. By Hardware Firewall you must mean something like CISCO PIX, etc. The CPUs on these PIX series are way too low, I wonder how well they can cope with DDOS attacks.

Originally posted by nickn
Firewalls do more than block DDoS. I think a firewall on W2k3 boxes are important for blocking other worms, etc...not attacks.

Let's say it on different way. It's very easy to cripple down your W2K3 server if you have firewall install on it. A medium amount of packets (e.g. thousands of packets per second) sent by worms will easily cripple your server.

Let the W2K3 web server runs IIS only. Leave the firewalling to a dedicated machine. You will very much appreciate this setup.

What I was trying to say in my post in the whole was that it depends on your specific need and what you are protecting to decide which option would be best for you.

As far as BSD Vs. Windows its a matter of taste as well. I am sure there are some very nicely configured W2k3 boxes out there, but really any box which is being attacked BSD, or otherwise is going to experiencing problems if the same machine is running the firewall. there is a limit to how many hits, etc it would take for the machine to feel ill effects, admittly W2k3 already uses so much resources it would fall ill faster

Originally posted by Daver
W2k3 already uses so much resources it would fall ill faster

Much-much faster. The FreeBSD box we used as dedicated firewall is giving us 0.00 load even when hundreds of millions of packets have been filtered.

Windows may not have as good TCP/IP stacking as *Nix OS. I would be surprised if there is any firewall box (Cisco PIX, Netscreen, etc) running Windows as its OS. And this is for a good reason, of course.