Servers are often entry points to a network, particularly those that are internet visible. Kerio's ServerFirewall, designed for Microsoft operating systems, is designed to combat that by filtering traffic at the server.
A small install and reboot is all that's required to load the software. ServerFirewall can be administered via its excellent web interface either from the local machine or, if you enabled the option, remotely.
Protection starts with basic stateful inspection firewall rules, where you can choose which services you want to allow and the direction they can run in.
In addition, you can also choose to which networks it applies. The default policy for ServerFirewall allows all outbound traffic but denies everything else.
As the firewall is sitting on the local machine, you can also select which processes a rule applies to. In this way, you can easily choose which applications you want to allow network access to. The only drawback is that this has to be done manually.
When testing, we would have preferred the installer to guide us and help us to choose which processes to give access to, based on the server's role.
The next level of protection is application hardening. By adding processes to the rule list, you can prevent them from launching new processes and modifying special operating system areas, such as the registry.
Again, there is no installer help with the selection processes, so you are advised to be fully aware of what actions an application needs to perform, otherwise you could end up stopping your server from working.
Finally, the intrusion prevention settings help protect your server from well-known attacks and bad packets by filtering them out. The firewall is set to check for updates on an automatic basis, so it should stay up-to-date with the latest network threats.
While ServerFirewall adds an extra element of protection, which could be very useful in staving off an attack, it can be difficult to manage.
Ideally, this firewall software requires running on a test server first to check the configuration before being rolled out to the main network.