[clue-tech] necessity of external hardware firewall
Greg Knaddison
greg.knaddison at gmail.com
Tue Aug 1 08:59:48 MDT 2006
Hi Dave,
Thanks for your pointers and further questions.
On 7/31/06, David L. Anselmi <anselmi at anselmi.us> wrote:
>
> Certainly something fancier would do more stuff but it hardly sounds
> like it's worth the effort, even if it's free.
It's not free - this is a "dedicated server" from The Planet so the
choice was a CheckpointX16 ($90/month) or Checkpoint XU ($190/month)
or Cisco PIX515e ($495/month).
> Rather than have us guess what might be most appropriate for you why
> don't you propose to us how you would use a firewall? We can tell you
> what is redundant or missing and you can decide whether you've made a
> good design.
Well, that's where I'm stuck and why I came here. I don't understand
what benefit there _might_ be to the firewall.
The services are basic internet host services: www, smtp, imap, mysql, ssh.
Given those services and given that I plan to block all other
ports...I'm not sure why I would need/want a firewall.
> Give us a complete description of the networks involved, the servers,
> the services they provide, who uses the services (what networks they are
> on), and what resources (data, service, etc.) you want to protect.
These are public services, at least the intention is that people will
want to access the www service. smtp/imap are clearly only for people
who I will be giving email accounts to. ssh is just for me. And
mysql is for the dynamic pages being served by httpd.
I can't really answer the other questions because I'm not sure. Let's
assume that I kept credit card numbers on the machine and wanted to
protect that data. Does an external firewall do that for me? Or
would an external firewall help protect against a DoS?
> I'd also suggest that, besides turning off services you don't want the
> public using, you should get your backup/restore system working before
> you worry about a firewall.
Indeed - that is great advice and I've got a plan in place for once
the server is installed.
Thanks,
Greg
More information about the clue-tech
mailing list