[clue-tech] necessity of external hardware firewall

[Greg Knaddison]

Hi Dave,

Thanks for your pointers and further questions.

On 7/31/06, David L. Anselmi <anselmi at anselmi.us> wrote:
>
> Certainly something fancier would do more stuff but it hardly sounds
> like it's worth the effort, even if it's free.

It's not free - this is a "dedicated server" from The Planet so the
choice was a CheckpointX16 ($90/month) or Checkpoint XU ($190/month)
or Cisco PIX515e ($495/month).

> Rather than have us guess what might be most appropriate for you why
> don't you propose to us how you would use a firewall?  We can tell you
> what is redundant or missing and you can decide whether you've made a
> good design.

Well, that's where I'm stuck and why I came here.  I don't understand
what benefit there _might_ be to the firewall.

The services are basic internet host services: www, smtp, imap, mysql, ssh.

Given those services and given that I plan to block all other
ports...I'm not sure why I would need/want a firewall.

> Give us a complete description of the networks involved, the servers,
> the services they provide, who uses the services (what networks they are
> on), and what resources (data, service, etc.) you want to protect.

These are public services, at least the intention is that people will
want to access the www service.  smtp/imap are clearly only for people
who I will be giving email accounts to.  ssh is just for me.  And
mysql is for the dynamic pages being served by httpd.

I can't really answer the other questions because I'm not sure.  Let's
assume that I kept credit card numbers on the machine and wanted to
protect that data.  Does an external firewall do that for me?  Or
would an external firewall help protect against a DoS?

> I'd also suggest that, besides turning off services you don't want the
> public using, you should get your backup/restore system working before
> you worry about a firewall.

Indeed - that is great advice and I've got a plan in place for once
the server is installed.

Thanks,
Greg