[clue-tech] necessity of external hardware firewall
Ken MacFerrin
lists at macferrin.com
Tue Aug 1 15:21:05 MDT 2006
Greg Knaddison wrote:
>
> Well, that's where I'm stuck and why I came here. I don't understand
> what benefit there _might_ be to the firewall.
>
> The services are basic internet host services: www, smtp, imap, mysql, ssh.
>
> Given those services and given that I plan to block all other
> ports...I'm not sure why I would need/want a firewall.
>
There are a few benefits to running a separate, dedicated a firewall for
your server:
1. You can setup better logging and intrusion detection. This
configuration gives you the ability to setup an IDS on your server that
only needs to worry about traffic that actually makes it through the
firewall.
2. If you use an actual linux box for the firewall you could also run it
as a Squid reverse proxy for your www service to provide content
caching, advanced filtering and traffic sanitizing to protect and reduce
the load on apache. (You could also offload the ssl work of any https
services).
3. You can gain additional security by monitoring for any
unauthorized/abnormal traffic coming _out_ of your server. Someone
could exploit a service to hack your server but may still not be able to
breach your firewall box; in which case the firewall would at least be
able to alert you that you've been rooted.
The downsides would of course be additional setup and another box to
maintain...
-Ken
More information about the clue-tech
mailing list