Do I need a hardware firewall for Win 2003?

We have had a Win 2003 server at a co-lo for a while. It is used as a web server and has a very cheap hardware firewall between it and the internet. Ports 3389 and 80 are the only ones forwarded to the server. I am doing some upgrading and wondering if I really need the firewall. Are there any drawbacks to just using the Win 2003 built in firewall to make sure only traffic on 3389 and 80 get through?


Solution 1:

Hardware based firewalls are meant to be industrial strength safeguards that can do more than just block ports. They are highly configurable, fast, and meant to shield the actual server(s) from attack or excessive/needless load while being separate from the OS they are protecting.

take a peek at http://networking.anandsoft.com/network-security-firewalls.html for a good side-by-side comparison.

In short, no.

Solution 2:

No you do not need a hardware firewall for a single node. The software based packet filter firewall built into windows can do what you need.

Solution 3:

No you don't have to have one, but you really should have one if this server is doing anything thing of value to you. A separate firewall will help to mitigate a number of risks including but not limited to:

  • OS bugs
  • Human error while configuring the OS
  • Undetected compromise

If all you have is the OS firewall then an OS level 0-day or DDoS bug can take you down. A separate firewall adds an extra layer protection in the event you accidentally open something up that shouldn't be. If your server does get compromised then a separate firewall can help you detect the compromise. A separate firewall does add cost and complexity. In my opinion in most cases the pros outweigh the cons.