Here's the deal. We are trying to implement a kind
of "poor man's firewall." My question is how easy is it to
place two NIC cards into a Windows 2000 machine (one card
having access to the router/ISP, the other having access
to a switch) to have a firewall for security purposes. We
were wanting to test the security capabilities of Windows
2000 and its firewall. Is this possible? Are there any
other cheaper alternatives? Is this even worthwhile?
Thanks in advance for any help!

We ran into huge issues with a 'multihomed' 2000 server
back years ago.

I'd not do it. Plus if there are things on that server
that you want secure, any breaches could leave no security
and data loss or worse...

A cheap NetGear or a PIX 504 firewall would be better then
trying to cobble something together and hopeing that it
works... IMO

>-----Original Message-----
>Here's the deal. We are trying to implement a kind
>of "poor man's firewall." My question is how easy is it
to
>place two NIC cards into a Windows 2000 machine (one card
>having access to the router/ISP, the other having access
>to a switch) to have a firewall for security purposes. We
>were wanting to test the security capabilities of Windows
>2000 and its firewall. Is this possible? Are there any
>other cheaper alternatives? Is this even worthwhile?
>Thanks in advance for any help!
>.
>

If you are talking about W2K Server you can use rras and NAT and configure
input and output filters. For W2K Pro there is no firewall and you would end
up using ICS which acts as a basic NAT router. I suppose you could also try
configuring ipsec filtering on just the external adapter. You may be better
off with a lower end firewall device such as the Netgear ProSafe line
[starting less than $100] which is a true SPI firewall and has some
configuration to restrict outbound access though the number of rules to
create are rather limited. A lot will use linux for such a purpose. I am not
a big linux user, but it is pretty easy to install and configure these days
and the rules in the configuration file are pretty straight forward for the
firewall for iptables or ipchains. -- Steve


"Adam Thornton" wrote in message
news:1231301c44272$87d8e4e0$a101280a@phx.gbl...[color=blue]
> Here's the deal. We are trying to implement a kind
> of "poor man's firewall." My question is how easy is it to
> place two NIC cards into a Windows 2000 machine (one card
> having access to the router/ISP, the other having access
> to a switch) to have a firewall for security purposes. We
> were wanting to test the security capabilities of Windows
> 2000 and its firewall. Is this possible? Are there any
> other cheaper alternatives? Is this even worthwhile?
> Thanks in advance for any help![/color]

Well this is the situation. We are a non-profit
organization. We have appx 145 machines spread out over
about 10 locations. I, personally, am uncertain as to
which functions may be critical in order to purchase and
use a firewal. The Symantec SGS5440 would be ideal because
it has every possible function I could think of. My
supervisor gave me the idea of the "poor man's firewall"
that I mentioned. In another forum, a man suggested
setting up a NAT service
([url]http://support.microsoft.com/default.aspx?scid=kb;en-[/url]
us;310357). In addition to basic security and protection,
one of the main functions that we are looking to get out
of the firewall is email content screening (attachments,
etc). In an ideal situation, we could purchase a piece of
hardware and not sacrifice a computer. Some of you have
mentioned different firewalls. Are these cheap enough that
they are easy to break or would maybe not provide the
appropriate level of functinality? Would be better off
purchasing a higher end model or could we go with
the "poor man's firewall" that I mentioned earlier. Thanks
again and if I can answer any questions, please let me
know.

Adam Thornton[color=blue]
>-----Original Message-----
>We ran into huge issues with a 'multihomed' 2000 server
>back years ago.
>
>I'd not do it. Plus if there are things on that server
>that you want secure, any breaches could leave no[/color]
security[color=blue]
>and data loss or worse...
>
>A cheap NetGear or a PIX 504 firewall would be better[/color]
then[color=blue]
>trying to cobble something together and hopeing that it
>works... IMO
>[color=green]
>>-----Original Message-----
>>Here's the deal. We are trying to implement a kind
>>of "poor man's firewall." My question is how easy is it[/color]
>to[color=green]
>>place two NIC cards into a Windows 2000 machine (one[/color][/color]
card[color=blue][color=green]
>>having access to the router/ISP, the other having access
>>to a switch) to have a firewall for security purposes.[/color][/color]
We[color=blue][color=green]
>>were wanting to test the security capabilities of[/color][/color]
Windows[color=blue][color=green]
>>2000 and its firewall. Is this possible? Are there any
>>other cheaper alternatives? Is this even worthwhile?
>>Thanks in advance for any help!
>>.
>>[/color]
>.
>[/color]

As for the content filtering for e-mail... Windows won't do that out of the
box for you. You're definitely looking for 3rd party software there. We
use SurfControl, but there are a number of options including outside
services.

--
Jim Cusson
Information Security Administrator
CompassBank for Savings
One Compass Place
New Bedford, MA 02740
"Steven L Umbach" wrote in message
news:_DQsc.113103$536.20726703@attbi_s03...[color=blue]
> If you are talking about W2K Server you can use rras and NAT and configure
> input and output filters. For W2K Pro there is no firewall and you would[/color]
end[color=blue]
> up using ICS which acts as a basic NAT router. I suppose you could also[/color]
try[color=blue]
> configuring ipsec filtering on just the external adapter. You may be[/color]
better[color=blue]
> off with a lower end firewall device such as the Netgear ProSafe line
> [starting less than $100] which is a true SPI firewall and has some
> configuration to restrict outbound access though the number of rules to
> create are rather limited. A lot will use linux for such a purpose. I am[/color]
not[color=blue]
> a big linux user, but it is pretty easy to install and configure these[/color]
days[color=blue]
> and the rules in the configuration file are pretty straight forward for[/color]
the[color=blue]
> firewall for iptables or ipchains. -- Steve
>
>
> "Adam Thornton" wrote in message
> news:1231301c44272$87d8e4e0$a101280a@phx.gbl...[color=green]
> > Here's the deal. We are trying to implement a kind
> > of "poor man's firewall." My question is how easy is it to
> > place two NIC cards into a Windows 2000 machine (one card
> > having access to the router/ISP, the other having access
> > to a switch) to have a firewall for security purposes. We
> > were wanting to test the security capabilities of Windows
> > 2000 and its firewall. Is this possible? Are there any
> > other cheaper alternatives? Is this even worthwhile?
> > Thanks in advance for any help![/color]
>
>[/color]

On Tue, 25 May 2004 09:08:34 -0700, "Adam Thornton"
wrote:
[color=blue]
>Here's the deal. We are trying to implement a kind
>of "poor man's firewall." My question is how easy is it to
>place two NIC cards into a Windows 2000 machine (one card
>having access to the router/ISP, the other having access
>to a switch) to have a firewall for security purposes.[/color]

Quite easy. Except you have to add firewall software to the system.
:)
[color=blue]
>We
>were wanting to test the security capabilities of Windows
>2000 and its firewall. Is this possible?[/color]

W2K has no firewall.
[color=blue]
>Are there any
>other cheaper alternatives?[/color]

Plenty. Smoothwall for example.
[color=blue]
>Is this even worthwhile?[/color]

A firewall isn't "worthwhile", it's a requirement. Linux-based
firewall systems such as Smoothwall are free, relatively easy to
configure and can run on a system you'd normally discard. Plenty of
SOHO hardware firewalls also exist that would be inexpensive.

Jeff

You can try a low end Sonic Wall appliance for around $1000[color=blue]
>-----Original Message-----
>As for the content filtering for e-mail... Windows won't[/color]
do that out of the[color=blue]
>box for you. You're definitely looking for 3rd party[/color]
software there. We[color=blue]
>use SurfControl, but there are a number of options[/color]
including outside[color=blue]
>services.
>
>--
>Jim Cusson
>Information Security Administrator
>CompassBank for Savings
>One Compass Place
>New Bedford, MA 02740
>"Steven L Umbach" wrote in message
>news:_DQsc.113103$536.20726703@attbi_s03...[color=green]
>> If you are talking about W2K Server you can use rras[/color][/color]
and NAT and configure[color=blue][color=green]
>> input and output filters. For W2K Pro there is no[/color][/color]
firewall and you would[color=blue]
>end[color=green]
>> up using ICS which acts as a basic NAT router. I[/color][/color]
suppose you could also[color=blue]
>try[color=green]
>> configuring ipsec filtering on just the external[/color][/color]
adapter. You may be[color=blue]
>better[color=green]
>> off with a lower end firewall device such as the[/color][/color]
Netgear ProSafe line[color=blue][color=green]
>> [starting less than $100] which is a true SPI firewall[/color][/color]
and has some[color=blue][color=green]
>> configuration to restrict outbound access though the[/color][/color]
number of rules to[color=blue][color=green]
>> create are rather limited. A lot will use linux for[/color][/color]
such a purpose. I am[color=blue]
>not[color=green]
>> a big linux user, but it is pretty easy to install and[/color][/color]
configure these[color=blue]
>days[color=green]
>> and the rules in the configuration file are pretty[/color][/color]
straight forward for[color=blue]
>the[color=green]
>> firewall for iptables or ipchains. -- Steve
>>
>>
>> "Adam Thornton" [/color][/color]
wrote in message[color=blue][color=green]
>> news:1231301c44272$87d8e4e0$a101280a@phx.gbl...[color=darkred]
>> > Here's the deal. We are trying to implement a kind
>> > of "poor man's firewall." My question is how easy is[/color][/color][/color]
it to[color=blue][color=green][color=darkred]
>> > place two NIC cards into a Windows 2000 machine (one[/color][/color][/color]
card[color=blue][color=green][color=darkred]
>> > having access to the router/ISP, the other having[/color][/color][/color]
access[color=blue][color=green][color=darkred]
>> > to a switch) to have a firewall for security[/color][/color][/color]
purposes. We[color=blue][color=green][color=darkred]
>> > were wanting to test the security capabilities of[/color][/color][/color]
Windows[color=blue][color=green][color=darkred]
>> > 2000 and its firewall. Is this possible? Are there any
>> > other cheaper alternatives? Is this even worthwhile?
>> > Thanks in advance for any help![/color]
>>
>>[/color]
>
>
>.
>[/color]