OT: iptables-like firewall for windows?

OT: iptables-like firewall for windows?

[Jason Joines]

  We have a completely Linux back-end environment but unfortunately
hundreds of windows desktops.  I'm pretty tired of all the attacks on
the unprotected windows boxes but don't have the authority to put up a
network firewall.  We protect all of our Linux servers with iptables.
Does anyone know of a similar tool for windows, particularly w2k?  The
built-in stuff seems to be virtually worthless.

Thanks,

Jason Joines
Open Source = Open Mind
========================

Re: OT: iptables-like firewall for windows?

[Tony Clayton]

There is a link called "Specific actions for Blaster worm" on the
www.microsoft.com front page, which takes you here:

http://www.microsoft.com/security/incident/blast.asp

They mention numerous third-party firewall solutions.

On Fri, Aug 22, 2003 at 08:26:58AM -0500, Jason Joines <joines@bus.okstate.edu> wrote:
>  We have a completely Linux back-end environment but unfortunately
> hundreds of windows desktops.  I'm pretty tired of all the attacks on
> the unprotected windows boxes but don't have the authority to put up a
> network firewall.  We protect all of our Linux servers with iptables.
> Does anyone know of a similar tool for windows, particularly w2k?  The
> built-in stuff seems to be virtually worthless.
> 
> Thanks,
> 
> Jason Joines
> Open Source = Open Mind
> ========================
> 
> 
> 

Re: OT: iptables-like firewall for windows?

[Shawn]

On Fri, 2003-08-22 at 08:26, Jason Joines wrote:
>   We have a completely Linux back-end environment but unfortunately
> hundreds of windows desktops.  I'm pretty tired of all the attacks on
> the unprotected windows boxes but don't have the authority to put up a
> network firewall.  We protect all of our Linux servers with iptables.
> Does anyone know of a similar tool for windows, particularly w2k?  The
> built-in stuff seems to be virtually worthless.

I take issue with that statement. It's /actually/ worthless!

google kerio personal firewall

Re: OT: iptables-like firewall for windows?

[Arnt Karlsen]

On Fri, 22 Aug 2003 16:06:39 -0500, 
Shawn <core@enodev.com> wrote in message 
<1061586399.18527.102.camel@localhost>:

> 
> On Fri, 2003-08-22 at 08:26, Jason Joines wrote:
> >   We have a completely Linux back-end environment but unfortunately
> > hundreds of windows desktops.  I'm pretty tired of all the attacks
> > on the unprotected windows boxes but don't have the authority to put
> > up a network firewall.  We protect all of our Linux servers with
> > iptables. Does anyone know of a similar tool for windows,
> > particularly w2k?  The built-in stuff seems to be virtually
> > worthless.
> 
> I take issue with that statement. It's /actually/ worthless!
> 
> google kerio personal firewall
 
..you have no autority???  Lay off!  "Not my problem.". 

..defend your own turf, the Linux boxes.  _I_ would make 
_sure_ I had _no_ responsibility on the Wintendos.  

..be _evil_, if any Wintendoite whines, tell'em about knoppix.net, 
netfilter, shorewall.net and webmin.com, ipcop.org if they can spare 
an extra old box in their home lan, "but here at work I have _no_ 
authority, and, thank God, _no_ responsibility, Insh'Allah!", etc.

..you _have_ such responsibility?  Show your spine.  Quit.  
Let them wail.  Tell'em your price.  No time for mercy.  

..if they fall into bankruptcy, with _your_ hand on the Wintendo 
wheel, it _is_ _your_ _own_ fault.

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: OT: iptables-like firewall for windows?

[Shawn]

Maybe the current state of the economy precludes him from bitching about
job scope... JETSON!!!!

On Fri, 2003-08-22 at 18:33, Arnt Karlsen wrote:
> On Fri, 22 Aug 2003 16:06:39 -0500, 
> Shawn <core@enodev.com> wrote in message 
> <1061586399.18527.102.camel@localhost>:
> 
> > 
> > On Fri, 2003-08-22 at 08:26, Jason Joines wrote:
> > >   We have a completely Linux back-end environment but unfortunately
> > > hundreds of windows desktops.  I'm pretty tired of all the attacks
> > > on the unprotected windows boxes but don't have the authority to put
> > > up a network firewall.  We protect all of our Linux servers with
> > > iptables. Does anyone know of a similar tool for windows,
> > > particularly w2k?  The built-in stuff seems to be virtually
> > > worthless.
> > 
> > I take issue with that statement. It's /actually/ worthless!
> > 
> > google kerio personal firewall
>  
> ..you have no autority???  Lay off!  "Not my problem.". 
> 
> ..defend your own turf, the Linux boxes.  _I_ would make 
> _sure_ I had _no_ responsibility on the Wintendos.  
> 
> ..be _evil_, if any Wintendoite whines, tell'em about knoppix.net, 
> netfilter, shorewall.net and webmin.com, ipcop.org if they can spare 
> an extra old box in their home lan, "but here at work I have _no_ 
> authority, and, thank God, _no_ responsibility, Insh'Allah!", etc.
> 
> ..you _have_ such responsibility?  Show your spine.  Quit.  
> Let them wail.  Tell'em your price.  No time for mercy.  
> 
> ..if they fall into bankruptcy, with _your_ hand on the Wintendo 
> wheel, it _is_ _your_ _own_ fault.

RE: iptables-like firewall for windows?

[Mark E. Donaldson]

Take a look at Pktfilter at http://www.hsc.fr/ressources/outils/pktfilter/
It's stateless, but very good and quite flexible nevertheless.  Also, like
netfilter, it's free.  I've been using it for about eight months and it gets
the job done very well indeed.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Jason Joines
Sent: Friday, August 22, 2003 6:27 AM
To: netfilter@lists.netfilter.org
Subject: OT: iptables-like firewall for windows?


  We have a completely Linux back-end environment but unfortunately
hundreds of windows desktops.  I'm pretty tired of all the attacks on
the unprotected windows boxes but don't have the authority to put up a
network firewall.  We protect all of our Linux servers with iptables.
Does anyone know of a similar tool for windows, particularly w2k?  The
built-in stuff seems to be virtually worthless.

Thanks,

Jason Joines
Open Source = Open Mind
========================

Re: OT: iptables-like firewall for windows?

[cc]

Jason Joines wrote:

>  We have a completely Linux back-end environment but unfortunately
> hundreds of windows desktops.  I'm pretty tired of all the attacks on
> the unprotected windows boxes but don't have the authority to put up a
> network firewall.  We protect all of our Linux servers with iptables.

It would be a lot cheaper to put up a Linux-based network firewall
than to install Win-based firewalls on each desktop.  Tell your
Supervisor that it is more feasible to install a firewall.

Compare the costs and effectiveness.  If your supervisor expects
you to install commercial firewalls to protect the windows
desktop, he's really smegging smoking something strange.

I mean if you can afford to protect your Linux servers with
iptables, how hard is it to add one more machine to protect
ALL your workstations?   Mind you, I don't know how your
company's system is setup, so I don't know if 'one' firewall
is applicable enough (though it should...*shrug*)


> Does anyone know of a similar tool for windows, particularly w2k?  The
> built-in stuff seems to be virtually worthless.

I wouldn't know.  I don't use the builtin stuff.

You can try ZoneAlarm Pro, or Kerio.

Re: OT: iptables-like firewall for windows?

[Matt Hellman]

Jason Joines wrote:
>  We have a completely Linux back-end environment but unfortunately
> hundreds of windows desktops.  I'm pretty tired of all the attacks on
> the unprotected windows boxes but don't have the authority to put up a
> network firewall.  We protect all of our Linux servers with iptables.
> Does anyone know of a similar tool for windows, particularly w2k?  The
> built-in stuff seems to be virtually worthless.
> 
> Thanks,
> 
> Jason Joines
> Open Source = Open Mind
> ========================

You mean your Windows desktop boxes are just sitting out on the Internet 
unprotected?  That seems unlikely...surely they are at least behind a 
NAT device or proxy?  In any event, A linux firewall (or any firewall) 
isn't going to fully protect you..take a look at the latest security bug 
in IE (object tag).  Keeping the desktops patched will go a LONG way 
towards securing those machines.  Don't put too much faith in a 
firewall, all it takes is one notebook user to bring your whole network 
down with a virus/trojan.

Goodluck,
Matt

Re: OT: iptables-like firewall for windows?

[Jim Carter]

On Fri, 22 Aug 2003, Jason Joines wrote:

>   We have a completely Linux back-end environment but unfortunately
> hundreds of windows desktops.  I'm pretty tired of all the attacks on
> the unprotected windows boxes but don't have the authority to put up a
> network firewall.  We protect all of our Linux servers with iptables.
> Does anyone know of a similar tool for windows, particularly w2k?  The
> built-in stuff seems to be virtually worthless.

The native filter in WinXP can be configured to totally block or totally
open selected ports.  Unfortunately you have to open 135 etc. if you expect
to have outsiders mount your filesystems or (I think) if you want to mount
theirs.  Not much help there.  3rd party products might be more flexible.

I think you have a social engineering problem.  Has your department
chairman or dean or whatever gotten hit by MSBlaster, SoBig, etc?  Explain
to him/her that a virus could ruin his whole day.  Here at UCLA several
other departments were essentially shut down because they had no firewall.
My department has a very effective one, plus a pretty aggressive policy on
patches, and we evaded MSBlaster, but due to the lack of internal barriers
and some machines that were missed, SoBig got us yesterday.  The campus
telecom service has taken the "unprecedented"  step of blocking relevant
ports at the campus perimeter, to protect our less clueful departments from
the worms and to protect the outside world from our less clueful
departments.  Tell that to your chairman.

James F. Carter (postmaster)         Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc@math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)

Re: OT: iptables-like firewall for windows?

[Maciej Soltysiak]

> Does anyone know of a similar tool for windows, particularly w2k?  The
> built-in stuff seems to be virtually worthless.
Kerio WinRoute Pro
and
Kerio Firewall

are windows statefull firewall proxies, with a possibility to add
rules (not often seen feature on windows proxies) + tons of other features
like: nat, dhcp, dns, web&ftp proxy, mail hub. It' really neat.

Regards,
Maciej

Re: OT: iptables-like firewall for windows?

[Jason Joines]

Arnt Karlsen wrote:

>On Fri, 22 Aug 2003 16:06:39 -0500, 
>Shawn <core@enodev.com> wrote in message 
><1061586399.18527.102.camel@localhost>:
>
>  
>
>>On Fri, 2003-08-22 at 08:26, Jason Joines wrote:
>>    
>>
>>>  We have a completely Linux back-end environment but unfortunately
>>>hundreds of windows desktops.  I'm pretty tired of all the attacks
>>>on the unprotected windows boxes but don't have the authority to put
>>>up a network firewall.  We protect all of our Linux servers with
>>>iptables. Does anyone know of a similar tool for windows,
>>>particularly w2k?  The built-in stuff seems to be virtually
>>>worthless.
>>>      
>>>
>>I take issue with that statement. It's /actually/ worthless!
>>
>>google kerio personal firewall
>>    
>>
> 
>..you have no autority???  Lay off!  "Not my problem.". 
>
>..defend your own turf, the Linux boxes.  _I_ would make 
>_sure_ I had _no_ responsibility on the Wintendos.  
>
>..be _evil_, if any Wintendoite whines, tell'em about knoppix.net, 
>netfilter, shorewall.net and webmin.com, ipcop.org if they can spare 
>an extra old box in their home lan, "but here at work I have _no_ 
>authority, and, thank God, _no_ responsibility, Insh'Allah!", etc.
>
>..you _have_ such responsibility?  Show your spine.  Quit.  
>Let them wail.  Tell'em your price.  No time for mercy.  
>
>..if they fall into bankruptcy, with _your_ hand on the Wintendo 
>wheel, it _is_ _your_ _own_ fault.
>

  I share views but it's also nice to be able to eat and pay the rent!

Re: OT: iptables-like firewall for windows?

[Arnt Karlsen]

On Mon, 25 Aug 2003 10:30:26 -0500, 
Jason Joines <joines@bus.okstate.edu> wrote in message 
<3F4A2B92.2010805@bus.okstate.edu>:

> Arnt Karlsen wrote:
> 
> >On Fri, 22 Aug 2003 16:06:39 -0500, 
> >Shawn <core@enodev.com> wrote in message 
> ><1061586399.18527.102.camel@localhost>:
> >
> >  
> >
> >>On Fri, 2003-08-22 at 08:26, Jason Joines wrote:
> >>    
> >>
> >>>  We have a completely Linux back-end environment but unfortunately
> >>>hundreds of windows desktops.  I'm pretty tired of all the attacks
> >>>on the unprotected windows boxes but don't have the authority to
> >>>put up a network firewall.  We protect all of our Linux servers
> >>>with iptables. Does anyone know of a similar tool for windows,
> >>>particularly w2k?  The built-in stuff seems to be virtually
> >>>worthless.
> >>>      
> >>>
> >>I take issue with that statement. It's /actually/ worthless!
> >>
> >>google kerio personal firewall
> >>    
> >>
> > 
> >..you have no autority???  Lay off!  "Not my problem.". 
> >
> >..defend your own turf, the Linux boxes.  _I_ would make 
> >_sure_ I had _no_ responsibility on the Wintendos.  
> >
> >..be _evil_, if any Wintendoite whines, tell'em about knoppix.net, 
> >netfilter, shorewall.net and webmin.com, ipcop.org if they can spare 
> >an extra old box in their home lan, "but here at work I have _no_ 
> >authority, and, thank God, _no_ responsibility, Insh'Allah!", etc.
> >
> >..you _have_ such responsibility?  Show your spine.  Quit.  
> >Let them wail.  Tell'em your price.  No time for mercy.  
> >
> >..if they fall into bankruptcy, with _your_ hand on the Wintendo 
> >wheel, it _is_ _your_ _own_ fault.
> >
> 
>   I share views but it's also nice to be able to eat and pay the rent!
 
..sure, and with the dreaded Soebig.G etc lurking around, 
you dine _nicely_ too.  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: iptables-like firewall for windows?

[Jason Joines]

Mark E. Donaldson wrote:

>Take a look at Pktfilter at http://www.hsc.fr/ressources/outils/pktfilter/
>It's stateless, but very good and quite flexible nevertheless.  Also, like
>netfilter, it's free.  I've been using it for about eight months and it gets
>the job done very well indeed.
>
>-----Original Message-----
>From: netfilter-admin@lists.netfilter.org
>[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Jason Joines
>Sent: Friday, August 22, 2003 6:27 AM
>To: netfilter@lists.netfilter.org
>Subject: OT: iptables-like firewall for windows?
>
>
>  We have a completely Linux back-end environment but unfortunately
>hundreds of windows desktops.  I'm pretty tired of all the attacks on
>the unprotected windows boxes but don't have the authority to put up a
>network firewall.  We protect all of our Linux servers with iptables.
>Does anyone know of a similar tool for windows, particularly w2k?  The
>built-in stuff seems to be virtually worthless.
>
>Thanks,
>
>Jason Joines
>Open Source = Open Mind
>========================
>

  Thanks!  This is just about exactly what we were looking for.  It 
works almost exactly like ipchains.  We use a PXE application (Rembo 
Tool Kit http://www.rembo.com) for workstation management so it's ideal 
to be able to change a text file and update the rules.

Jason
===========

Re: OT: iptables-like firewall for windows?

[Jason Joines]

Jim Carter wrote:

>On Fri, 22 Aug 2003, Jason Joines wrote:
>
>  
>
>>  We have a completely Linux back-end environment but unfortunately
>>hundreds of windows desktops.  I'm pretty tired of all the attacks on
>>the unprotected windows boxes but don't have the authority to put up a
>>network firewall.  We protect all of our Linux servers with iptables.
>>Does anyone know of a similar tool for windows, particularly w2k?  The
>>built-in stuff seems to be virtually worthless.
>>    
>>
>
>The native filter in WinXP can be configured to totally block or totally
>open selected ports.  Unfortunately you have to open 135 etc. if you expect
>to have outsiders mount your filesystems or (I think) if you want to mount
>theirs.  Not much help there.  3rd party products might be more flexible.
>
>I think you have a social engineering problem.  Has your department
>chairman or dean or whatever gotten hit by MSBlaster, SoBig, etc?  Explain
>to him/her that a virus could ruin his whole day.  Here at UCLA several
>other departments were essentially shut down because they had no firewall.
>My department has a very effective one, plus a pretty aggressive policy on
>patches, and we evaded MSBlaster, but due to the lack of internal barriers
>and some machines that were missed, SoBig got us yesterday.  The campus
>telecom service has taken the "unprecedented"  step of blocking relevant
>ports at the campus perimeter, to protect our less clueful departments from
>the worms and to protect the outside world from our less clueful
>departments.  Tell that to your chairman.
>
>James F. Carter (postmaster)         Voice 310 825 2897    FAX 310 206 6673
>UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
>Email: jimc@math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)
>  
>

  You're exactly right, it's a social/political problem.  My direct 
supervisor, the college IT manager and his direct supervisor, the dean 
of the college, are 100% on board.  We have asked for permission to put 
up our own firewall to protect the network many times and been denied.  
We have asked for the university network operations group to put up 
whatever they like, NAT us, etc., etc., and been denied may times.  The 
campus was hit with thousands of infections and when we asked to have 
routing of port 135 completely disabled in and out of our network and 
disabled on the switches, they couldn't believe we wanted that and had 
to have it in writing first.

  We had many machines hit but were fortunate enough to be able to clean 
and patch them via network boot (PXE - Rembo Tool Kit - 
http://www.rembo.com).  Many of the other colleges had no such tool and 
are having to manually rebuild machines.  We have a new CIO over the 
university system who seems to worship microshaft.  His security 
philosophy seems to be "microsoft can release patches faster than 
hackers can come up with new attacks and viruses".  We have lots of 
unusual applications that often get broken by microshaft patches and 
like to do thorough testing before deploying them.

  Maybe a few more attacks wacking thousands of machines will change 
their policies.

Jason
===========

Re: iptables-like firewall for windows?

[Jason Joines]

Mark E. Donaldson wrote:

>Take a look at Pktfilter at http://www.hsc.fr/ressources/outils/pktfilter/
>It's stateless, but very good and quite flexible nevertheless.  Also, like
>netfilter, it's free.  I've been using it for about eight months and it gets
>the job done very well indeed.
>
>-----Original Message-----
>From: netfilter-admin@lists.netfilter.org
>[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Jason Joines
>Sent: Friday, August 22, 2003 6:27 AM
>To: netfilter@lists.netfilter.org
>Subject: OT: iptables-like firewall for windows?
>
>
>  We have a completely Linux back-end environment but unfortunately
>hundreds of windows desktops.  I'm pretty tired of all the attacks on
>the unprotected windows boxes but don't have the authority to put up a
>network firewall.  We protect all of our Linux servers with iptables.
>Does anyone know of a similar tool for windows, particularly w2k?  The
>built-in stuff seems to be virtually worthless.
>
>Thanks,
>
>Jason Joines
>Open Source = Open Mind
>========================
>

  Thanks!  This is just about exactly what we were looking for.  It 
works almost exactly like ipchains.  We use a PXE application (Rembo 
Tool Kit http://www.rembo.com) for workstation management so it's ideal 
to be able to change a text file and update the rules.

Jason
===========

Re: OT: iptables-like firewall for windows?

[Jason Joines]

Jim Carter wrote:

>On Fri, 22 Aug 2003, Jason Joines wrote:
>
>  
>
>>  We have a completely Linux back-end environment but unfortunately
>>hundreds of windows desktops.  I'm pretty tired of all the attacks on
>>the unprotected windows boxes but don't have the authority to put up a
>>network firewall.  We protect all of our Linux servers with iptables.
>>Does anyone know of a similar tool for windows, particularly w2k?  The
>>built-in stuff seems to be virtually worthless.
>>    
>>
>
>The native filter in WinXP can be configured to totally block or totally
>open selected ports.  Unfortunately you have to open 135 etc. if you expect
>to have outsiders mount your filesystems or (I think) if you want to mount
>theirs.  Not much help there.  3rd party products might be more flexible.
>
>I think you have a social engineering problem.  Has your department
>chairman or dean or whatever gotten hit by MSBlaster, SoBig, etc?  Explain
>to him/her that a virus could ruin his whole day.  Here at UCLA several
>other departments were essentially shut down because they had no firewall.
>My department has a very effective one, plus a pretty aggressive policy on
>patches, and we evaded MSBlaster, but due to the lack of internal barriers
>and some machines that were missed, SoBig got us yesterday.  The campus
>telecom service has taken the "unprecedented"  step of blocking relevant
>ports at the campus perimeter, to protect our less clueful departments from
>the worms and to protect the outside world from our less clueful
>departments.  Tell that to your chairman.
>
>James F. Carter (postmaster)         Voice 310 825 2897    FAX 310 206 6673
>UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
>Email: jimc@math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)
>  
>

  You're exactly right, it's a social/political problem.  My direct 
supervisor, the college IT manager and his direct supervisor, the dean 
of the college, are 100% on board.  We have asked for permission to put
up our own firewall to protect the network many times and been denied.
We have asked for the university network operations group to put up
whatever they like, NAT us, etc., etc., and been denied may times.  The
campus was hit with thousands of infections and when we asked to have
routing of port 135 completely disabled in and out of our network and
disabled on the switches, they couldn't believe we wanted that and had
to have it in writing first.

  We had many machines hit but were fortunate enough to be able to clean
and patch them via network boot (PXE - Rembo Tool Kit -
http://www.rembo.com).  Many of the other colleges had no such tool and
are having to manually rebuild machines.  We have a new CIO over the
university system who seems to worship microshaft.  His security
philosophy seems to be "microsoft can release patches faster than
hackers can come up with new attacks and viruses".  We have lots of
unusual applications that often get broken by microshaft patches and
like to do thorough testing before deploying them.

  Maybe a few more attacks wacking thousands of machines will change
their policies.

Jason
===========

RE: OT: iptables-like firewall for windows?

[Michael]

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Jason Joines
> Sent: Tuesday, August 26, 2003 6:58 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: OT: iptables-like firewall for windows?
> 
> 
> Jim Carter wrote:
> 
> >On Fri, 22 Aug 2003, Jason Joines wrote:
> >
> >  
> >
> >>  We have a completely Linux back-end environment but unfortunately 
> >>hundreds of windows desktops.  I'm pretty tired of all the 
> attacks on 
> >>the unprotected windows boxes but don't have the authority 
> to put up a 
> >>network firewall.  We protect all of our Linux servers with 
> iptables. 
> >>Does anyone know of a similar tool for windows, 
> particularly w2k?  The 
> >>built-in stuff seems to be virtually worthless.
> >>  

I haven't followed this tread but; ZoneAlarm is a good choice for
Windows Workstations and there is a free version too.

/Michael