Firewall Wizards mailing list archives

Re: mitigating the lack of a firewall

From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 15 Feb 2000 07:28:02 -0800 (PST)

On Sat, 12 Feb 2000, Bruce H. Nearon wrote:

Suppose an Internet site does not have a firewall.  Can a securely
configured IIS 4.0 server running under securely configured NT 4.0
protect the site from unauthorized access and denial of service attacks?


What do you mean "site"?

If you're talking about a bunch of machines, certainly not.  Not without
making the NT machine something that constitutes a firewall.

Assuming you're talking about a web "site", then yes, depending on your
requirements.  If the web server software is as locked down as it can be,
then a firewall doesn't matter.  I know of no firewall that can stop new
unknown attacks against web servers, if you're allowing web access.

The "depends" part has to do with how you administer the server.  If
you're willing to walk media up to the console of the NT box to update
content, then you can rip out the workstation and server services, and
feel pretty good.  If you're going to try to use an MS filesharing, RPC,
DB access, etc...  then, IMNSHO, you better have a firewall.

                                        Ryan

Current thread:

mitigating the lack of a firewall Bruce H. Nearon (Feb 14)
- Re: mitigating the lack of a firewall R. DuFresne (Feb 15)
  - RE: mitigating the lack of a firewall Phil Cox (Feb 15)
- Re: mitigating the lack of a firewall Aaron D. Turner (Feb 15)
- Re: mitigating the lack of a firewall Ryan Russell (Feb 15)
- Message not available
  - Re: mitigating the lack of a firewall Marcus J. Ranum (Feb 15)
- <Possible follow-ups>
- RE: mitigating the lack of a firewall Starkey, Kyle (Feb 15)
- RE: mitigating the lack of a firewall David LeBlanc (Feb 16)
- Re: mitigating the lack of a firewall Malcolm Holser (Feb 17)
- RE: mitigating the lack of a firewall Burden, James (Feb 24)