There is such a problem: "I don't know what firewall to choose for Windows server." In fact, people often consult me about this issue, but I have not been able to find the best answer. Many times, I still like to install additional software protection on the server itself even when the server is protected by a hardware firewall. Because sometimes my servers may be located in remote locations and there is no hardware-level firewall to protect them, then I have to rely entirely on installing software on the server to keep them safe.
Sounds like this seems simpler. In reality, I have been patient enough to wait for one day to find the perfect Windows firewall, so I don't have to explain to those who consulted me why many times the ideal choice is to deploy Iptables Linux. But I think my wait is futile. Many times I thought I finally found the best Windows firewall solution, but that was just the beginning of my disappointment.
TCP /IP filter speed is indeed very fast, but its advantage is only limited to this, because when you use TCP /IP filter, you definitely need to add another layer of protection.
IPSec is good, when you pick out the applicable rules, the terms of filtering, you can through a graphical interface or the command-line interface to set up, but whether it is a graphical interface or a command-line interface are likely to be confusing . Finally, you are finally configured and successfully run it up - at this point, you will find that the network is slowing down, because IPSec filters the "package", which itself can slow down the network by 10% to 15%. By the way, let me talk about other things that make me hate IPSec: it logs in the form of Windows events - when you want to watch your firewall logs, you need to click on those event logs and find out what you want. What you want - this is enough for me to give up using it.
Internet Connection Firewall (ICF) in Windows Server 2003 is slightly better, it has a good performance, and a certain flexibility in the rules. When Windows Server 2003 SP1 comes, the new Windows firewall will get better. Windows Firewall is a big step forward, and it has a group policy. Unfortunately, Windows Firewall does not allow you to set any rules for the originator. In addition, it also requires remote management and communication services - these are not what I usually don't need.
RAS Some may ask how to do? You may have noticed that it has packet filtering and in fact it provides a nice API interface for other tools to configure the filter. However, these filters do not control the underlying protocol, such as ICMP, so it's actually not very useful.
There are many very good personal firewall can run on desktop systems, but they are unable to reach the required server users. Although some of them are clearly beyond the level of similar products, the common problems of all personal firewalls are: simple logging tools, slow execution efficiency, and, worst of all, most personal firewalls are in circulation. When the amount is very large, it may cause the system to be blue. These problems
Personal Firewall from a combination of them with Windows. They intercept packets in a number of ways, and this also causes some of their flaws. Some personal firewall products involve intercepting system kernel information or overwriting hardware drivers. Because of this way of working, you better pray that their products are stable, otherwise you will often see the blue screen phenomenon, you see, when the circulation is relatively large, we do often see the system blue screen.
Another problem is that because of the working mode of these personal firewalls, they usually repel, so don't try to install two sets of personal firewalls on your PC at the same time. The same is true for servers. Otherwise, you may encounter some problems. Personal firewalls are not suitable for unattended servers, because most personal firewalls pop up a dialog box when intercepting packets, allowing users to choose how to handle/operate. Some firewalls I also found that the terminal service could not be accessed smoothly through the system tray icon.
The last time I thought I had found the best solution for Windows Firewall was when I tried to install ISA Server 2004 on a Windows server. To my surprise, it works very well. Its function is very perfect, it is similar to the personal version in terms of protection range, but it runs more stably. I found that it has only one problem: the price of the license for ISA Server 2004 is more expensive than the server itself. This makes it difficult for users to accept.
What should I do now? I think if I spend money on a small hardware-level firewall to protect my server - just because I sometimes have to leave it for a short time - it's really crazy.
not all hope is lost, at least, Microsoft is working to create a new filter platform WFP, in the near future on the upcoming "Longhorn (Longhorn)" system. The actual release date for this version may be in the next one or two years. WFP is an integrated package filtering
technology
solution within the operating system.
future, third-party firewall vendors are likely to simply access to WFP system, providing the ability to configure rules only. WFP plans to support multiple layers of the new TCP/IP protocol and can filter traffic before it is parsed. WFP even supports IPv6. WFP sounds great, but it still can't help us today, it's a little away from us. And, whether it is effective and stable still needs us to observe in actual use.
You may think that the answer is too simple, of course not. These still make us feel astonished. Currently, the perfect solution for Windows Server Firewall does not exist.