[clue-tech] necessity of external hardware firewall
Jim Ockers
ockers at ockers.net
Tue Aug 1 10:05:45 MDT 2006
Greg,
> > Rather than have us guess what might be most appropriate for you why
> > don't you propose to us how you would use a firewall? We can tell you
> > what is redundant or missing and you can decide whether you've made a
> > good design.
>
> Well, that's where I'm stuck and why I came here. I don't understand
> what benefit there _might_ be to the firewall.
>
> The services are basic internet host services: www, smtp, imap, mysql, ssh.
>
> Given those services and given that I plan to block all other
> ports...I'm not sure why I would need/want a firewall.
First of all regardless of your choice of external firewall you should
configure sshd to listen on a port other than 22. Do as I say, not as
I do. :) Some IT people I work with have found that discourages 99+ %
of the automated attacks like password brute-forcing.
Secondly if you configure your box so that iptables rejects all connections
other than the services you actually want to provide, then the benefits of
an external firewall are limited to the following:
1. When someone tries to mess with your kernel or IP stack using, say,
a SYN flood attack, or putting invalid bits in the TCP header, or
something like that, then the external firewall will hopefully filter
that malicious or malformed traffic out before it affects your box.
For instance, in the unlikely event there is some weird OS bug in the
Linux kernel that can cause a remote root or panic just on the
presentation of some malformed packet, maybe the firewall will eat the
malformed packet and your box won't see it.
2. If someone engages in a DDoS against your server then hopefully the
external firewall will bear the brunt of the attack. Either way your
web site probably won't be reachable though.
That's all I can think of for now so if it's expensive to have the
external packet filtering/firewall then you might as well just use the
linux iptables. It'd be a good idea to use iptables to its fullest
benefit, such as rejecting invalid states. There are lots of good web
sites that can assist you with configuring iptables.
Hope this helps,
Jim
--
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/
More information about the clue-tech
mailing list