We have been deploying out 2008 servers and leaving the firewall enabled. Now the question has been posed about why we should be enabling and managing host based firewalls. We do not do it for the unix hosts and firewalls enabled on servers is seen as a redundant effort of the network teams firewalls. It is seen that host based firewalls would not protect us from internal threats as the server ports are already allowed through the firewalls are are accessible to internal systems. So my question is there any benefit to having host based firewalls enabled?

Yeah, one of the main benefits is protection from an outside attacker that manages to penetrate the perimeter firewall maintained by your networking staff and offers protection in the event that a firewall happens to be misconfigured. Additionally, servers offering services like SQL Server can be scoped to only allow connections from specific clients. Unlike the UNIX systems, the firewalls in Windows can be maintained using group policy, so for the majority of your systems, you will have 1 GPO that maintains the majority of the host based firewall rules of the organization. -- Mike Burr

I think it is more effective (based on the cost of management) to have servers placed in a secure zone (an internal DMZ) to protect them from internal attacks as the attack does not always originate from the outside coming through the permiter firewalls. The source can be internal and the perimeter firewall is not going to provide any protection in this case. I have found that it is difficult to manage host based firewall solutions for servers, since your servers are all likely to run various applications that require custom firewall settings per server. For host based solutions to be successful, you would have to group your servers that run identical services by OU, and apply Firewall rules via GPOs.Visit: anITKB.com, an IT Knowledge Base.

Hello, I don't really see it as redundant, it's just another layer of security. For example, your internal DNS server is much better off having just port 53 open on the LAN than having al 65K ports open. It lowers the attack surface area and can save you some trouble if any internal hosts get malware that exploit vulnerabilities in applications and/or services. MiguelMiguel Fra / Falcon ITS Computer & Network Support, Miami, FL Visit our Knowledgebase Sharepoint Site

I go back on forth on this issue, mostly because pre-Windows 2008 made it very difficult to manage firewalls and significantly increases your administration cost associated with Host Based firewall configuration. The maturity in the management utilities when Windows 2003 first came out (in 2003/2004) was very limited and even in the years past the native 2003 FW hasn't really improved from a ease of management perspective...my opinion. Because of this most Administrators used LAN based DMZ areas to more easily manage servers that needed to be protected. In Windows 2008 the management of the FW is much better, but it still requires some research for custom non-native Windows applications to open ports. But i am hopefull that newer application will automatically configure the FW for you on installation, just like the native Windows apps....i can dream. When that happens, then the FW becomes totally transparent and is really ease to manage and maintain without alot of special knowledge or skill needed. That's when i think i will totally buy into using a FW on every server. Using the FW on every server is protecting you from WHAT is always the question? Most IT Administrators want to use firewalls to prevent the spread of viruses or prevent security exploits....which isn't realistic. Its sort of like hitting a screw with a hammer, it appears to do something, but not much. Just like the screw you need the right tool for the job. Ultimately, you need to protect yourself from Viruses with a Virus Scanner, and protect your self from Security Exploits by patching and good security practices, firewalls directly on the server don't do a good job at protecting yourself from those things they aren't the right tool...and in my opinion, in most cases provide a false sense of security. The Truth about Security Exploits on Windows Servers http://networkadminkb.com/Shared%20Documents/The%20Truth%20about%20Security%20Exploits%20on%20Windows%20Servers.aspx

Hi, Yes, Microsoft have a whole solution to secure the service, server and network while Windows Firewall (WFAS) plays a role as the local network security firewall. Edge network security: ISA(TMG) server Service security: Forefront server security for Exchange, Sharepoint and so on Windows Firewall: local network security and isolation In Windows Firewall, you will have the ability to create fine-grained firewall rules to control specific traffic. For example, you can allow the traffic from a specific application/service. In Windows Vista and later OS, IPSec is included in Windows Firewall and Advanced Security which enhances the host based network security. It will prevent sniffer or illegal access from internal network which is out of the protection of edge firewall.

Falcon, >>>For example, your internal DNS server is much better off having just port 53 open on the LAN than having al 65K ports open. This is a false statement. Servers do not have all 65k ports open. An open port is one in which a service is listening on, if no service is listening then the port is not open. Obviously, there are not 65k apps/services running on every server. Also, any OPEN PORT shouldn't be blocked by the FW...if the FW blocks it outright then the SERVICE listening cannot function....not a good FW in that case. >>>It lowers the attack surface area and can save you some trouble if any internal hosts get malware that exploit vulnerabilities in applications and/or services. This is another false statement. On HOST BASED FW all VALID services that have open ports are allowed through the FW. The FW does not block them. Thus a Host based FW DOES NOTHING to reduce the attack surface. Unless you manage the FW with RULES that limit access to specific OPEN Ports to specific IP's (or ranges of IP's) the HOST BASE FW does NOTHING to reduce your attack surface...because the default rules are ALWAYS allow ANY IP Address to connect. The SINGLE thing a Host Based FW does is IF you get infected by a Virus, and that VIRUS tries to open communications (listen for or transmit) data the FW may block it. That is provided the virus doesn't modify the FW Rules to allow it to work anyway. That is little benefit....for a lot of work....in my opinion.

We have been deploying out 2008 servers and leaving the firewall enabled. Now the question has been posed about why we should be enabling and managing host based firewalls. We do not do it for the unix hosts and firewalls enabled on servers is seen as a redundant effort of the network teams firewalls. It is seen that host based firewalls would not protect us from internal threats as the server ports are already allowed through the firewalls are are accessible to internal systems. So my question is there any benefit to having host based firewalls enabled? It's very much just for that! To protect against internal threats.. When I consider the word "internal" I think inside the same network segment. These are places where hardware firewalls dont usually exist, and this is why host firewalls have a place. Hardware firewalls are usually used to protect your "internal" network from the "outside" network, and I think host based firewalls are useful for protecting your "internal" network from your "internal" network. eg. Protecting your servers from an attack or exploit from within the internal network itself.

Thanks for everyone's replies as there were some very good points brought up here. I have worked in IT for many years and just never gave host based firewalls much thought. Incorrectly assumed they were basically the same as other firewalls. This all came up for discussion because the 2008 fw is very easy to setup and manage with gpo. But based on what I have learned here and from the network guys my opinion is now a complete 180 and I will be disabling all our 2008 firewalls. Exceptions can be made of course if we decide to use them to be fine grained with traffic. We are building out Internal DMZs and based on the simple fact that a host based fw does nothing to reduce attach surface it doesnt make sense for us to use them. Thanks.

Gunner, Thank you for your comments, This is a matter of opinion and thus subjective. Each server scenario can be different. Generally speaking, I was thinking along the lines of many servers out there with roles that are not actively used yet they are running. I have seen DNS servers with IIS, FTP running and listening where neither one was actively used. If you flat out turn off the LAN firewall, then you increase the attack surface area. If the same server has all LAN ports closed by the firewall except for 53, them IIS and FPT can listen all they want, they will not be accessible from the LAN. Miguel Fra / Falcon ITS Computer & Network Support , Miami, FL Visit our Knowledgebase Sharepoint Site

I had thought along those lines too but realized that most software that is installed but not used is MS features\services of the OS. In 2008, when the servcies are installed they automatically open up the firewall. So if it is installed then its most likely going to be accessible even with fw enabled. The approach we are taking is to periodically scan all the servers and shut down uneeded ports and software as they are found.

Miguel / Falcon, Name calling in short hand is still name calling...and i don't appreciate it. >>>This is a matter of opinion and thus subjective. No management styles are subjecting, the facts of how the firewall works are not. >>> I have seen DNS servers with IIS, FTP running and listening where neither one was actively used. If you flat out turn off the LAN firewall, then you increase the attack surface area. Ok, lets boil this down...quickly and to the point. There are two basic types of services running on a server Authorized (firewall approved) and Un-Authorized (firewall blocked). What's the point of having Un-Authorized service on a Server? None that i can think of..so un-install it. Un-used, or slightly-used services are still Authorized, but just not commonly used.....that seems to be what you are talking about. The FW still does nothing to block access to un-used or slightly-used services, your surface area for attack is still the same...because the service is authorized. I think you are attempting to convey the following management style (the subjective part). You could use the Firewall (and admins that can't configure a firewall) to stop access to un-authorized services. However, i see this a a poorly managed environment, because these service should be un-installed first, and never installed to begin with. An alternative management style would be to have a properly managed environment in which change control is used and NO un-authorized services are installed on servers....thus reducing the need for the FW all together. This has the same effect, but with out the added service. In your scenario the only "Attack Surface" you have reduced are un-authorized services, which are not needed anyway...because they are blocked. I hope you find these comments as helpfull as the last.

Gunner, >> Name calling in short hand is still name calling...and i don't appreciate it. You are correct. I was a bit frustrated by the hostility your response seemend to convey. I will edit my shorthand and please accept my apologies. >> ...because the service is authorized. I am not arguing your point. You are correct, unauthorized services SHOULD be uninstalled. However, if there are unauthorized services running on a server, a firewall that has its ports closed except for the authorized services will better protect the server. In a well maintained network, I agree with you that Windows 2008 firewall is redundant. There are however, sloppily configured servers out there and in such cases centrally managed firewalls by a responsible, knowledgeable entity would help (although I agree with Jorge that it's a lot of trouble and a packet filter/DMZ is better suited for the job) >> No management styles are subjecting Everything is subjective. Time, space, velocity even the color of the sky. It depends on the point of view of the observer. Miguel Fra / Falcon ITS Computer & Network Support, Miami, FL Visit our Knowledgebase Sharepoint Site

HI There is a simple and a easy description about Firewall that, it differentiate between trusted and untrusted traffic that means its blocks unauthorized or uninvited user to make connectivity to your network and to stop to do malicious activity in your personal or organizational network .... FOR MORE INFORMATION ABOUT FIREWALL VISIT MY BLOG ON FIREWALL ( http://www.brijj.com/vikram-singh-774 ). BY VIKRAM SINGH