[clue-tech] necessity of external hardware firewall
William
wlist-clue at kimballstuff.com
Mon Jul 31 17:01:18 MDT 2006
Greg Knaddison wrote:
> I'm about to get a dedicated server to run typical website services:
> www, smtp, imap, mysql, etc. Is it worth getting an external
> firewall? What factors would impact your decision to have an external
> firewall for a server? Are there some features of hardware firewalls
> that make them worthwhile above the firewall already available?
>
> This will be a RHEL box and I will only have this one machine. I can
> foresee using multiple RHEL boxes (web + DB) at some point. The data
> on the machines is just "typical stuff" i.e. not medical records nor
> financial institution records nor...
Talk about your big questions! This is likely to start up yet another
philosophical debate or contest of wits, which I'll volunteer to bow out
of before it begins (I refuse to become engaged following this post).
Disclaimer aside, here is my opinion, based on my own experience. This
is probably an extreme case (and believe me, I can still tighten it down
even further if motivated to do so), compared to most other opinions
that you will receive.
First, the environment (my SOHO):
* 7 Servers, mixed environment (Windows 2K/3 and CentOS/RHEL).
* 3 Workstations, all Windows XP Pro.
* Several network appliances (including video games consoles).
* BOTH Hardware and Software firewalls are utilized.
At the hardware level, I employ both NAT and CBAC firewall mechanisms.
At the software level, I employ IPTables and Windows Firewall -- based
on the OS. In all cases, I follow a whitelisting firewall philosophy
(with additional dynamic blacklisting rules based on attack pattern
detection) as opposed to a blacklisting philosophy. If you're
unfamiliar with the difference:
* Whitelisting firewalls means ALL ports/services are BLOCKED by default
and ONLY predicted, necessary ports/services are permitted.
* Blacklisting firewalls means the device is WIDE OPEN and ONLY
"troublesome" ports/services are blocked and/or only "troubled" external
IPAs are blocked.
Additionally, I treat all networks as hostile, both internal and
external. This means that even the "inside" footprints of my servers
are based on whitelisting rules.
While the initial design and configuration was somewhat tedious, the end
product is simple. No machine on my network has any visible ports that
I don't expressly determine, either on the public IPA or the internal
IPA. In theory, this should contain any intrusive attempts to the
single compromised machine, should that ever become the case, greatly
reducing the capacity of any hacker/virus/worm/etc. to propagate on my
LAN (or outside, for that matter).
Bear in mind that I also use physical barriers. I have 7 servers in
this configuration (at HOME). This isn't necessarily because of the
amount of traffic I handle. In truth, I handle far less than all this
hardware is capable of. Rather, my database server, mail
policy/scanning server, file server, and Windows domain controller have
no public access whatsoever -- no external IPA (no inbound route from
the router). While I provide a full set of hosting features (web, ftp,
smtp, pop3, imap, dns), no machine handles more than its limited-scope
services; meaning my gateway mail server offers no pop3/imap features
and my web/ftp servers offer no external mail services whatsoever. Each
machine offers only a limited, tightly related set of services based on
function.
For a look at how I handle just e-mail, take a look at (even
server-to-server mail handling is over SSL):
http://www.kimballstuff.com/files/networking/E-mail_Handling.png
That was the technical part, here's the philosophy:
As you can see, it is my opinion that you cannot take security lightly,
regardless whether you're handling a personal web site or
mission-critical (credit-card/medical/military/government)
services/data. One compromised machine is one more zombie on the web
that is ripe for spammer/phisher/attack activities. I will not tolerate
having any machine under my control being used for unlawful means.
I realize that even policies like my own are not infallible and
consequently, I make no claim that mine is. I scrutinize my log files
(not only the LogWatch output, but my router and firewall logs as well)
regularly in an effort to identify when -- not if -- a hack occurs.
I've been doing this since late 2000 and so far, I'm clean (as far as I
can tell).
If you're asking whether you should get a hardware firewall, my answer
is this:
Absolutely, and fortify it with an additional layer of software
firewalls! Apply as many security techniques as you know how to and
review your security footprint (scan your own network from both inside
and outside) and performance regularly (check your logs)! Good security
requires diligence, patience, and luck.
More information about the clue-tech
mailing list