TCP/IP Filtering

[Sam Kong]

In Windows 2000, there's no built-in firewall.
Can I use TCP/IP Filtering on the network adapter property instead of firewall?
It's webserver and I want to open only 80 port.

Thanks.

Sam

 

[Steven L Umbach]

Tcp/ip filtering is a whole lot better than nothing and is generally used as an
additional layer of protection but not the only. If you enable it for UDP, you will
not be able to resolve internet names from the server if that is important. Keep in
mind that tcp/ip filtering does not block ICMP and DOS attacks that are used by it.
If for some reason you can not but a firewall right now I suggest you also look into
using ipsec filtering which can effectively filter udp and manage outbound traffic
unlike tcp/ip filtering. The two links below explain more on ipsec filtering and some
weaknesses of it when used as an internet firewall [not it's intended purpose] that
can be remedied by a registry setting. --- Steve

http://www.securityfocus.com/infocus/1559
http://support.microsoft.com/default.aspx?scid=kb;en-us;811832

 

[Karl Levinson [x y] mvp]

Some people do this, and there's also IPSec filtering. However, Microsoft
says that neither of these are really meant as firewalls. For one thing,
there's no logging, alerting or intrusion detection. The lack of logging
causes a problem not only when you suspect you may have been hacked or
flooded with a DoS, but also when something goes wrong during the initial
setup. And, I would always be concerned that the filtering could become
enabled by an idiot administrator, a future patch or service pack
installation, a network card replacement, a spontaneous software glitch,
etc. Also, firewalls have gotten fairly cheap. www.netscreen.com offers
hardware firewall devices starting around $600 US, possibly cheaper if you
search ebay.com for firewalls.

Information on setting up IPSec or TCP/IP filtering:

http://securityadmin.info/faq.asp#firewall
http://securityadmin.info/faq.asp#ipsec
www.nsa.gov/snac