Do I need a third party firewall?

I had setup Win 2003 server. It has two LAN cards,
one used for private networking, and one for InterNet.
The LAN card for Internet is directly connected to the
router, no any other connections.

I have set up NAT, so that through private network card
employees can use internet.
On the same server, I run our Mail Server, with WebMail
Support.
I have enabled inbuit Win2003 Firewall for the Internet
LAN card and have enabled only 3 TCP ports, 25, 110 and 80.
All other ports I have bolcked.
Now is this sufficient to prevent hackers? My belief is
that through port 110 a hacker if successful can only get
mails of some users, through port he can only send mails
(SPAM, however I have bolcked relay on the mail server.)
Are my assumptions correct? What abt port 80? Apart from
going to the web mail page, can someone access other data?
Should I also install a thrid party FireWall?

Will be very mcuh thankful is someone can adivse.

Sharad

sharad wrote:
> I had setup Win 2003 server. It has two LAN cards,
> one used for private networking, and one for InterNet.
> The LAN card for Internet is directly connected to the
> router, no any other connections.
>
> I have set up NAT, so that through private network card
> employees can use internet.
> On the same server, I run our Mail Server, with WebMail
> Support.
> I have enabled inbuit Win2003 Firewall for the Internet
> LAN card and have enabled only 3 TCP ports, 25, 110 and 80.
> All other ports I have bolcked.
> Now is this sufficient to prevent hackers? My belief is
> that through port 110 a hacker if successful can only get
> mails of some users, through port he can only send mails
> (SPAM, however I have bolcked relay on the mail server.)
> Are my assumptions correct? What abt port 80? Apart from
> going to the web mail page, can someone access other data?
> Should I also install a thrid party FireWall?
>
> Will be very mcuh thankful is someone can adivse.

I'm a firm believer that you should always have your firewall on a seperate
system from the thing it is protecting.

However, if all you are concerned about is protecting stuff behind ports
that you want open anyway, then it doesn't matter if you have 200 firewalls,
1, or even none, because a firewall can't do much to protect you from people
fiddling with ports that you actually want to have open.


--
--
Rob Moir
Microsoft MVP for servers & security
http://www.robertmoir.co.uk
"802.11bofh - the *other* power over ethernet standard"

Thanks Rob Moir,

Now please be so kind to inform me following :-
I will stop the web interface and will block port 80 too.
So only port 25 and 110 will be open.
Now with these two ports open, a hacker may be able to
read someone's e-mail, or even may be able to relay his
mails.

But can he - apart from the mails stuff, also access
other files on my server, through these two ports?
I would not be so much worried if the e-mails get hacked.
Uptill now I am under impression that if these two ports
are open, a hacker cant do anything apart from fiddling
with the mails. Is this correct? Or can he also access
file directly. (Directly I mean not through some virus
etc.)

Sharad

>I'm a firm believer that you should always have your
firewall on a seperate
>system from the thing it is protecting.
>
>However, if all you are concerned about is protecting
stuff behind ports
>that you want open anyway, then it doesn't matter if you
have 200 firewalls,
>1, or even none, because a firewall can't do much to
protect you from people
>fiddling with ports that you actually want to have open.
>
>
>--
>--
>Rob Moir
>Microsoft MVP for servers & security
>http://www.robertmoir.co.uk
>"802.11bofh - the *other* power over ethernet standard"
>
>
>.
>

To repeat what Robert said, you really ought to be protecting your network
at the perimeter, via a separate firewall. There isn't much someone can do
with only 25 or 110, but I am still a firm believer that your security
should begin where your Internet connection comes into the network....

Sharad wrote:
> Thanks Rob Moir,
>
> Now please be so kind to inform me following :-
> I will stop the web interface and will block port 80 too.
> So only port 25 and 110 will be open.
> Now with these two ports open, a hacker may be able to
> read someone's e-mail, or even may be able to relay his
> mails.
>
> But can he - apart from the mails stuff, also access
> other files on my server, through these two ports?
> I would not be so much worried if the e-mails get hacked.
> Uptill now I am under impression that if these two ports
> are open, a hacker cant do anything apart from fiddling
> with the mails. Is this correct? Or can he also access
> file directly. (Directly I mean not through some virus
> etc.)
>
> Sharad
>
>> I'm a firm believer that you should always have your firewall on a
>> seperate system from the thing it is protecting.
>>
>> However, if all you are concerned about is protecting stuff behind
>> ports that you want open anyway, then it doesn't matter if you have
>> 200 firewalls, 1, or even none, because a firewall can't do much to
>> protect you from people fiddling with ports that you actually want
>> to have open.
>>
>>
>> --
>> --
>> Rob Moir
>> Microsoft MVP for servers & security
>> http://www.robertmoir.co.uk
>> "802.11bofh - the *other* power over ethernet standard"
>>
>>
>> .

Sharad wrote:
> Thanks Rob Moir,
>
> Now please be so kind to inform me following :-
> I will stop the web interface and will block port 80 too.
> So only port 25 and 110 will be open.
> Now with these two ports open, a hacker may be able to
> read someone's e-mail, or even may be able to relay his
> mails.

Hopefully not. If this happens then either your email software is very badly
written, your user's passwords are insecure, or there is a mistake setting
it up. But (and I think this is what you mean) you are of course agreeing to
take on this risk by not blocking these ports off.

> But can he - apart from the mails stuff, also access
> other files on my server, through these two ports?
> I would not be so much worried if the e-mails get hacked.
> Uptill now I am under impression that if these two ports
> are open, a hacker cant do anything apart from fiddling
> with the mails. Is this correct? Or can he also access
> file directly. (Directly I mean not through some virus
> etc.)

Directly? No. While your email server is using these ports then anyone who
connects to them can only do the things the email server allows them to do.
Which certainly does *not* include browsing your server hard drive.

As for "indirectly", you need to make sure to keep the email software
concerned up to date as regards patches for security vulnerabilities, then
you will probably be fine.

--
--
Rob Moir
Microsoft MVP for servers & security
http://www.robertmoir.co.uk
"802.11bofh - the *other* power over ethernet standard"

Thanks a lot Rob Moir, and Lanwench!

>-----Original Message-----
>To repeat what Robert said, you really ought to be
protecting your network
>at the perimeter, via a separate firewall. There isn't
much someone can do
>with only 25 or 110, but I am still a firm believer that
your security
>should begin where your Internet connection comes into
the network....
>
>Sharad wrote:
>> Thanks Rob Moir,
>>
>> Now please be so kind to inform me following :-
>> I will stop the web interface and will block port 80
too.
>> So only port 25 and 110 will be open.
>> Now with these two ports open, a hacker may be able to
>> read someone's e-mail, or even may be able to relay his
>> mails.
>>
>> But can he - apart from the mails stuff, also access
>> other files on my server, through these two ports?
>> I would not be so much worried if the e-mails get
hacked.
>> Uptill now I am under impression that if these two ports
>> are open, a hacker cant do anything apart from fiddling
>> with the mails. Is this correct? Or can he also
access
>> file directly. (Directly I mean not through some virus
>> etc.)
>>
>> Sharad
>>
>>> I'm a firm believer that you should always have your
firewall on a
>>> seperate system from the thing it is protecting.
>>>
>>> However, if all you are concerned about is protecting
stuff behind
>>> ports that you want open anyway, then it doesn't
matter if you have
>>> 200 firewalls, 1, or even none, because a firewall
can't do much to
>>> protect you from people fiddling with ports that you
actually want
>>> to have open.
>>>
>>>
>>> --
>>> --
>>> Rob Moir
>>> Microsoft MVP for servers & security
>>> http://www.robertmoir.co.uk
>>> "802.11bofh - the *other* power over ethernet standard"
>>>
>>>
>>> .
>
>
>.
>