Windows Server 2003 compatible software firewall

[Xavier]

Afternoon all,

Thought I'd pose a techie question for once...

I've been asked by a friend to recommend a software firewall solution to run on a Windows Server 2003 based machine. They're migrating from a Symmetric NAT firewall on their router as it stops IPv6 communication and instead want an app they can deploy on their windows server, which is also functioning as gateway to the network.

The machine is functioning as a domain controller, runs Exchange 2003 and SQL 2000 as well as Terminal Services, IIS and a couple of game servers.

Because it's a "PDC" (or as close as you get to one in an FSMO AD) things such as Symantec Enterprise Firewall are a complete no-no, as is any Zone Alarm product - neither will allow themselves to be installed on a domain controller.

OutPost Pro 2.1 is a non-starter too, while it installs on Server 2003 it can't be administered over Terminal Services properly because of gh3y limitations in the way it was written.

Ideally he's after a stateful firewall with port-based rules, rather than anything tied to application behavior and whatnot. My fave solution - ISA server won't work here as they don't have a dedicated box from which to run the firewallage and don't want to add another layer of NAT, which will again cock up IPV6 tunneling.

So, is anyone aware of any software firewalls which might do the job? Preferrably ones you've seen running in a W2k3/AD environment, sitting on top of ICS or R/RA. Currently the only thing they've found which works on an admin level is the ICS firewall - but we all know why you don't want a box running something that simple sat on the 'edge', especially if it's running IIS and whatnot.

 

[Gurnox]

How's your friends Linux?

Have to admit that I haven't tried this, or seen it working in the environment you've specified, but iptables will support IPv6. So using a masquerading Linux box with this instead of the NAT device may not screw up the tunneling.

Also veers from your spec in that it is, obviously, not going to be running on the domain controller... And is about as far away from a 'Windows 2003 Server software firewall' as you are ever going to get.

http://www.linuxguruz.com/iptables/

Has lots of info.

 

[Athan]

Hmmm, and there are a number of 'hardware' firewall devices that are actually based on Linux. The names of any escape me right now though . Just a suggestion for something to look at if you need a bit more hand-holding (no worries about getting hardware that's up to the job, pre-install done, no doubt some nice GUI/web config tools...).

-Ath

 

[Xavier]

We found and deployed a stateful software solution on the 2k3 box before the weekend, as mentioned it had to be something to run on the box itself. Thus far it seems to be holding up ok, guess we'll see if it's adequate in a week or twos time.

Xav

 

[phlash]

As a matter of interest - what was it Xav?

 

[Gurnox]

As a matter of interest - what was it Xav?

I'd be interested in knowing too. Come on Xavier, don't keep it to yourself.

 

[Cenuij]

Ummm wouldnt it be better to run this box as a member server?

just a thought

 

[Xavier]

heh, it was kerio's firewall/NAT app but it bailed on him.

and no, seeing as the box serves http, mail, NAT traffic and runs a VPN it's definately the kind of thing you'd stick on the edge, if not in a DMZ.

Xav

 

[Cenuij]

So... presumably your running IIS, on an AD domain controller, in the DMZ.

Sounds like security suicide to me but hell, what do I know...

 

[Mellow]

Not just security, but if that one box fails you've lost every network service too. Bit of a silly idea!

 

[SheepCow]

Windows' built-in firewall?