Any Firewall Appliance to Front End Web and Mail Server? - Firewalls

This is a discussion on Any Firewall Appliance to Front End Web and Mail Server? - Firewalls ; To protect internal users and networks I really like the approach used in the Fortinet Fortigate firewall appliances, which integrate a lot of anti-virus, intrusion protection, and other higher level abstractions directly into the firewall. The Fortigate is just a ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: Any Firewall Appliance to Front End Web and Mail Server?

  1. Any Firewall Appliance to Front End Web and Mail Server?

    To protect internal users and networks I really like the approach used in
    the Fortinet Fortigate firewall appliances, which integrate a lot of
    anti-virus, intrusion protection, and other higher level abstractions
    directly into the firewall. The Fortigate is just a standard firewall,
    however, when it comes to protecting internal servers against hackers.
    For example, you can design a set of firewall rules that might limit
    incoming connections to the web server to port 80, but there is no protocol
    level inspection of incoming HTTP requests, to detect or block specific
    kinds of probes or attacks against the web server.

    Does any vendor make a firewall appliance that is specifically focused on
    protecting internal web servers and blocking against specific kinds of
    attacks? Any references to such appliances are appreciated.

    --
    Will



  2. Re: Any Firewall Appliance to Front End Web and Mail Server?

    On Mar 20, 7:46*am, "Will" wrote:
    > To protect internal users and networks I really like the approach used in
    > the Fortinet Fortigate firewall appliances, which integrate a lot of
    > anti-virus, intrusion protection, and other higher level abstractions
    > directly into the firewall. * *The Fortigate is just a standard firewall,
    > however, when it comes to protecting internal servers against hackers.
    > For example, you can design a set of firewall rules that might limit
    > incoming connections to the web server to port 80, but there is no protocol
    > level inspection of incoming HTTP requests, to detect or block specific
    > kinds of probes or attacks against the web server.
    >
    > Does any vendor make a firewall appliance that is specifically focused on
    > protecting internal web servers and blocking against specific kinds of
    > attacks? * Any references to such appliances are appreciated.
    >
    > --
    > Will


    hi will...

    u might want to try checkpoint firewall with Web Intelligence which
    provides specilised protection against web servers...

    i don guarantee on their UTM appliance series...but software on a
    hardended platform/Nokia appliance works well...

  3. Re: Any Firewall Appliance to Front End Web and Mail Server?

    Under $1K total cost including hardware would also be nice....

    --
    Will


    "Arjun" wrote in message
    news:713f93e2-b20d-4a18-bc1a-0d51695bbd42@a70g2000hsh.googlegroups.com...
    On Mar 20, 7:46 am, "Will" wrote:
    > To protect internal users and networks I really like the approach used in
    > the Fortinet Fortigate firewall appliances, which integrate a lot of
    > anti-virus, intrusion protection, and other higher level abstractions
    > directly into the firewall. The Fortigate is just a standard firewall,
    > however, when it comes to protecting internal servers against hackers.
    > For example, you can design a set of firewall rules that might limit
    > incoming connections to the web server to port 80, but there is no
    > protocol
    > level inspection of incoming HTTP requests, to detect or block specific
    > kinds of probes or attacks against the web server.
    >
    > Does any vendor make a firewall appliance that is specifically focused on
    > protecting internal web servers and blocking against specific kinds of
    > attacks? Any references to such appliances are appreciated.
    >
    > --
    > Will


    hi will...

    u might want to try checkpoint firewall with Web Intelligence which
    provides specilised protection against web servers...

    i don guarantee on their UTM appliance series...but software on a
    hardended platform/Nokia appliance works well...



  4. Re: Any Firewall Appliance to Front End Web and Mail Server?

    In article , westes-
    usc@noemail.nospam says...
    > Does any vendor make a firewall appliance that is specifically focused on
    > protecting internal web servers and blocking against specific kinds of
    > attacks? Any references to such appliances are appreciated.


    Watch Guard as a SMTP Proxy that will allow you to control MANY things,
    including only allowing approved file types, file sizes, etc...

    Same with their HTTP Proxy rules.

    For medical sites we always use the SMTP and HTTP Proxy rules to clean
    content before it reaches the servers or the users sessions.


    --
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  5. Re: Any Firewall Appliance to Front End Web and Mail Server?

    Will wrote:

    > To protect internal users and networks I really like the approach used in
    > the Fortinet Fortigate firewall appliances, which integrate a lot of
    > anti-virus, intrusion protection, and other higher level abstractions
    > directly into the firewall. The Fortigate is just a standard firewall,
    > however, when it comes to protecting internal servers against hackers.
    > For example, you can design a set of firewall rules that might limit
    > incoming connections to the web server to port 80, but there is no
    > protocol level inspection of incoming HTTP requests, to detect or block
    > specific kinds of probes or attacks against the web server.


    If the internal servers are on a separate subnet traffic to them can be
    inspected by a suitable filtering device just the same way that the device
    can inspect traffic to/from external servers.

    > Does any vendor make a firewall appliance that is specifically focused on
    > protecting internal web servers and blocking against specific kinds of
    > attacks?


    Any UTM box can do that.

    Wolfgang



  6. Re: Any Firewall Appliance to Front End Web and Mail Server?

    Will wrote:
    > Under $1K total cost including hardware would also be nice....
    >

    If price is a key issue you this might suit you needs ...

    http://www.untangle.com/

    VH.

  7. Re: Any Firewall Appliance to Front End Web and Mail Server?

    "Will" writes:

    > To protect internal users and networks I really like the approach used in
    > the Fortinet Fortigate firewall appliances, which integrate a lot of
    > anti-virus, intrusion protection, and other higher level abstractions
    > directly into the firewall. The Fortigate is just a standard firewall,
    > however, when it comes to protecting internal servers against hackers.
    > For example, you can design a set of firewall rules that might limit
    > incoming connections to the web server to port 80, but there is no protocol
    > level inspection of incoming HTTP requests, to detect or block specific
    > kinds of probes or attacks against the web server.
    >
    > Does any vendor make a firewall appliance that is specifically focused on
    > protecting internal web servers and blocking against specific kinds of
    > attacks? Any references to such appliances are appreciated.


    Hi Will,

    Yes. What's yer budget? What sort of speed do you need?

    Unified Threat Management boxes may be one solution.

    There was a recently a roundup of these devices in SC Magazine.
    http://www.scmagazineus.com/UTM-2008/GroupTest/121/

    Among those, I have some experience with the ISS (now part of IBM)
    Proventia M that runs about $1400 plus support. What I like about
    those is that the IPS/IDS in them doesn't block whole IP
    addresses--they just swallow the subset of the traffic that represents
    the detected threat when in blocking mode. Many other vendors seem to
    lock out IP's when threats are triggered which makes them rather
    vulnerable to DOS with spoofed traffic.

    --
    Todd H.
    http://www.toddh.net/

  8. Re: Any Firewall Appliance to Front End Web and Mail Server?

    On Mar 20, 4:46*am, "Will" wrote:

    > Does any vendor make a firewall appliance that is specifically focused on
    > protecting internal web servers and blocking against specific kinds of
    > attacks? * Any references to such appliances are appreciated.
    >
    > --
    > Will


    Check Point with a Web Intelligence license will do some "basic"
    checks.

    If web services are part of you core business:
    (in no particular order)
    www.denyall.com
    F5 Big-IP with ASM
    Reactivity
    ...
    Patching you systems, writing secure code and an audit from time to
    time might also help.

  9. Re: Any Firewall Appliance to Front End Web and Mail Server?

    "Wolfgang Kueter" wrote in message
    news:frtmmp$f8s$1@news.shlink.de...
    > Will wrote:
    >
    >> To protect internal users and networks I really like the approach used in
    >> the Fortinet Fortigate firewall appliances, which integrate a lot of
    >> anti-virus, intrusion protection, and other higher level abstractions
    >> directly into the firewall. The Fortigate is just a standard firewall,
    >> however, when it comes to protecting internal servers against hackers.
    >> For example, you can design a set of firewall rules that might limit
    >> incoming connections to the web server to port 80, but there is no
    >> protocol level inspection of incoming HTTP requests, to detect or block
    >> specific kinds of probes or attacks against the web server.

    >
    > If the internal servers are on a separate subnet traffic to them can be
    > inspected by a suitable filtering device just the same way that the device
    > can inspect traffic to/from external servers.


    The attack is usually different. The user inside the network using a
    browser goes to a page with a trojan and it is embedded as an Active/X, for
    example. So a defense against that would be to inspect the active/x binary
    during download for metainformation as well as checksum that might identify
    it and then block it.

    The attack against the web server you own is more likely to focus on trying
    to force buffer overloads on your server, so the defense against that is
    more about inspecting for bad URLs, SQL injections, etc.

    --
    Will



  10. Re: Any Firewall Appliance to Front End Web and Mail Server?

    In article , westes-
    usc@noemail.nospam says...
    > The attack is usually different. The user inside the network using a
    > browser goes to a page with a trojan and it is embedded as an Active/X, for
    > example. So a defense against that would be to inspect the active/x binary
    > during download for metainformation as well as checksum that might identify
    > it and then block it.


    Actually, blocking ActiveX completely is the best method. There is no
    reason to allow ActiveX except from known good sites that require it for
    your business.

    --
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  11. Re: Any Firewall Appliance to Front End Web and Mail Server?

    "Leythos" wrote in message
    news:MPG.224cd6445050602c98969b@adfree.usenet.com. ..
    > In article , westes-
    > usc@noemail.nospam says...
    >> The attack is usually different. The user inside the network using a
    >> browser goes to a page with a trojan and it is embedded as an Active/X,
    >> for
    >> example. So a defense against that would be to inspect the active/x
    >> binary
    >> during download for metainformation as well as checksum that might
    >> identify
    >> it and then block it.

    >
    > Actually, blocking ActiveX completely is the best method. There is no
    > reason to allow ActiveX except from known good sites that require it for
    > your business.


    Agreed and that is for the web browsers behind our firewall.

    I'm trying to protect a web server, so blocking Active/X at the browser
    isn't addressing my need.

    What I am looking for is a web application firewall that is commoditized as
    an appliance for low-end servers, similar to what Fortinet has done with
    their 50B and 60B firewall appliances for small businesses.

    --
    Will



  12. Re: Any Firewall Appliance to Front End Web and Mail Server?

    In article , westes-
    usc@noemail.nospam says...
    > "Leythos" wrote in message
    > news:MPG.224cd6445050602c98969b@adfree.usenet.com. ..
    > > In article , westes-
    > > usc@noemail.nospam says...
    > >> The attack is usually different. The user inside the network using a
    > >> browser goes to a page with a trojan and it is embedded as an Active/X,
    > >> for
    > >> example. So a defense against that would be to inspect the active/x
    > >> binary
    > >> during download for metainformation as well as checksum that might
    > >> identify
    > >> it and then block it.

    > >
    > > Actually, blocking ActiveX completely is the best method. There is no
    > > reason to allow ActiveX except from known good sites that require it for
    > > your business.

    >
    > Agreed and that is for the web browsers behind our firewall.
    >
    > I'm trying to protect a web server, so blocking Active/X at the browser
    > isn't addressing my need.
    >
    > What I am looking for is a web application firewall that is commoditized as
    > an appliance for low-end servers, similar to what Fortinet has done with
    > their 50B and 60B firewall appliances for small businesses.


    If a web server is all you want to protect, then a simple NAT router
    will do all you need if you properly secure the server and web services.

    What OS/Web service are you running?

    --
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  13. Re: Any Firewall Appliance to Front End Web and Mail Server?

    Hi,

    Leythos schrieb:
    > If a web server is all you want to protect, then a simple NAT router
    > will do all you need if you properly secure the server and web services.


    How does NATting ensure protocol integrity and stop inline attacks?
    Answer: It can't. You need some application layer proxy to do that.

    Cheers,
    Jens

  14. Re: Any Firewall Appliance to Front End Web and Mail Server?

    "Leythos" wrote in message
    news:MPG.224d7db149e565c498969c@adfree.usenet.com. ..
    > In article , westes-
    > usc@noemail.nospam says...
    >> "Leythos" wrote in message
    >> news:MPG.224cd6445050602c98969b@adfree.usenet.com. ..
    >> > In article , westes-
    >> > usc@noemail.nospam says...
    >> >> The attack is usually different. The user inside the network using
    >> >> a
    >> >> browser goes to a page with a trojan and it is embedded as an
    >> >> Active/X,
    >> >> for
    >> >> example. So a defense against that would be to inspect the active/x
    >> >> binary
    >> >> during download for metainformation as well as checksum that might
    >> >> identify
    >> >> it and then block it.
    >> >
    >> > Actually, blocking ActiveX completely is the best method. There is no
    >> > reason to allow ActiveX except from known good sites that require it
    >> > for
    >> > your business.

    >>
    >> Agreed and that is for the web browsers behind our firewall.
    >>
    >> I'm trying to protect a web server, so blocking Active/X at the browser
    >> isn't addressing my need.
    >>
    >> What I am looking for is a web application firewall that is commoditized
    >> as
    >> an appliance for low-end servers, similar to what Fortinet has done with
    >> their 50B and 60B firewall appliances for small businesses.

    >
    > If a web server is all you want to protect, then a simple NAT router
    > will do all you need if you properly secure the server and web services.


    How is an NAT box going to inspect a URL request and block SQL injections or
    any other known vulnerability of a web server.

    Of course you configure the server as well, but that's not mutually
    exclusive with a web application firewall, and the two complement each
    other.

    --
    Will



  15. Re: Any Firewall Appliance to Front End Web and Mail Server?

    "Jens Hoffmann" wrote in message
    news:fs0fhu$pjk$1@murphy.mediascape.de...
    > Leythos schrieb:
    >> If a web server is all you want to protect, then a simple NAT router will
    >> do all you need if you properly secure the server and web services.

    >
    > How does NATting ensure protocol integrity and stop inline attacks?
    > Answer: It can't. You need some application layer proxy to do that.


    Yes, thank you.

    --
    Will



  16. Re: Any Firewall Appliance to Front End Web and Mail Server?

    In article , jh@bofh.de says...
    > Hi,
    >
    > Leythos schrieb:
    > > If a web server is all you want to protect, then a simple NAT router
    > > will do all you need if you properly secure the server and web services.

    >
    > How does NATting ensure protocol integrity and stop inline attacks?
    > Answer: It can't. You need some application layer proxy to do that.


    It doesn't as you've so nicely put it, but, if your server is properly
    secured, since I don't know what OS/Service, there is a good chancec
    that you're not going to get much more protection that would do you much
    good.

    --
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  17. Re: Any Firewall Appliance to Front End Web and Mail Server?

    Will wrote:
    > Under $1K total cost including hardware would also be nice....
    >





+ Reply to Thread