I am a non technical type that is trying to start a web based business. I am thnking a dedicated server will be the best option for me but as I looked at the quotes from several different web hosts I noticed that the firewall services that they provide are very expensive. 100$ a month - 150$ a month.
Are there other firewall options that can be installed on the server that we as administrators can install and use?
Thanks in advance for any help.

There are many options for firewalls, but in general you'll need some expertise in the area in order to install and run them. One of your best bets may be to look into VMWare appliances like IPCop or Moonwall.

I'm curious, however, why you want a firewall on what I assume to be a publicly available server? The main purpose of a firewall is to keep people out of your stuff. If you're running a publicly available server, you probably don't need a firewall since the purpose of the thing is to be accessible.

That's a total generality as there are tons of exceptions to it, but it might be worthwhile to pursue that train of thought. You may find that you really only need one or two protections and there may be easier ways to achieve it.

Thanks for the reply.
I am definitely running a public site that people need to buy a subscription to use.
It's a language school online sort of.
I just assumed that I would need a firewall on the server to prevent it from being taken over by some evil sorts.
I am using ASP to run the site.
What do you think, do I need a firewall?

I would still recommend a firewall to block other unused ports as Windows runs many other services. The best way to go about it is to use the built-in Windows firewall that comes with Server 2003 -- it does the job well and won't cost you a penny.

The was in which I assess if I need a firewall is this:

I ask myself how many services I will be running that I don't want everyone on the planet to be able to get at. If the number is higher than zero, then a firewall may be in order.

For example. I need to run SSH on my servers so that I can get in to manage the thing. However, on some of my servers I don't offer shell access to my customers. Therefore, a firewall may be a good idea if it is one that has the ability to restrict access to certian ports based on a list of IPs (like Shorewall, for example). However, that still may not work well if I want to be able to access the server from unknown IPs or locations.

So that's the question in my mind: What are you running that you can't just not run, but need to protect in some fashion? Don't really answer me...it's an internal question :)

MrRadic - by definition an 'unused port' has nothing listening on it. If nothing is listening on it then it's not open and there is nothing to firewall. If there are unused services on a box, the proper way to handle that is to shut them off.

Hostingpuppy,

I am afraid it's not that simple. In general you should be using a firewall that specifically opens the ports you want opened. You would be surprised how many things can get on a server that will want to open a port that you didn't know about.

Also any tools like brute force detection needs the firewall to actually block the offending ip.

thanks gentlemen!
I have a much better understanding now.

That's true. Users can install stuff that you don't know about but isn't that the whole reason they buy a server? I guess it boils down to what your TOS is.The point about blocking offending IPs is very well made. I agree that's an excellent example of a good use for a firewall in all cases.I merely enjoy the conversation about firewalls because it's one of those topics that has so many points of view.

I would suggest Visnetic or Kerio Firewall. Apart from the Perimeter firewall we run which blocks ports, we suggest clients to install a Application Layer firewall which blocks lot of malicious traffic. This is mainly blocking of unwanted connection methods like CONNECT, PUT, etc.

In general you should be using a firewall that specifically opens the ports you want opened.
I agree 100% with this. As far as I am concerned, there may be nothing listening on any port other than port 80 (which is never the case with Windows!), but for the $50 that my hardware firewall costs me at SoftLayer, I know that the only port accessible to the outside world is port 80. It gives me a little more peace of mind and one thing less to worry about, so I reckon it's $50 well spent.

And I know that I could probably achieve the same thing via IPSEC or any software firewall for free or a low-ish price, but a hardware firewall prevents the outside world from getting to my server on any port other than 80, regardless of what's running on my server. A software firewall is only as good as its configuration, and if that gets screwed up, for whatever reason, then it's no good. That little black box 2 feet from my server just sits there all day long blocking ports, no more, no less, no matter what my server is doing :)

I used to use Zonealarm and it was great.

A software firewall is only as good as its configuration, and if that gets screwed up, for whatever reason, then it's no good. That little black box 2 feet from my server just sits there all day long blocking ports, no more, no less, no matter what my server is doing :)
If you misconfigure hardware firewall, you may get screwed up as well. But I get your point; hardware firewall gives you a peace of mind, that no one will mess up your firewall rules. You can give box's admin pass to anyone and keep the firewall pass for yourself.