The other day I did a blog post about poking a hole in SBS 2008’s internal firewall to ensure that Quickbooks ran properly and someone said that I needed to run an external firewall because SBS’s looked like swiss cheese. And he’s right, I do need to run a proper firewall because the firewall on the Internal nic is NOT (let me repeat that) NOT to be seen/used/or thought of as an external facing firewall. While you should not disable it as it provides critical hardening services to that firewall/networking stack, it should not be seen as any substitute for the external firewall. Any application sitting on that server will need a policy/exclusion/allowance in that firewall policy. Turn the firewall off, and you just locked yourself out of RDP.
This is the “swiss cheese” of SBS 2008’s firewall in image form:
(Note I enable network discovery so that exception is not standard)
I also for grins clicked on that “notify me” just to see if it would do anything.
But bottom line, that’s not the firewall settings of an outward facing firewall.
So what firewalls are good for SBS 2008?
Depends on your budget. I don’t consider Linksys style of firewalls to be “business” quality but I certainly have two here at home to be able to run a SBS 2003 and a SBS 2008 so that they don’t complain about one another (if you need the ability to have a network outside of your SBS network, consider having two routers to provide this ability).
In a business setting, I want more. The firewall guru of SMB, Amy Babinchak recommends http://www.calyptix.com/. I like them for several reasons, one of them purely emotional. If you remember Sally Fields emotional award ceremony a few years back.. “You like me, you really really like me!”…. one can say similar about Calyptix and the SMB space. “They like us, they really really like us”. We’re not a “Enterprise cut down cost center” like some firewalls, nor are the interfaces need a degree in rocket science to set up. And you can’t go wrong with a paranoid Lawyer being the CEO either.
I think you need to look at your budget and paranoia, and standardize on models for your client base. It makes it much easier to manage.