[clue-tech] necessity of external hardware firewall

William wlist-clue at kimballstuff.com
Mon Jul 31 17:01:18 MDT 2006 

Greg Knaddison wrote:
> I'm about to get a dedicated server to run typical website services:
> www, smtp, imap, mysql, etc.  Is it worth getting an external
> firewall?  What factors would impact your decision to have an external
> firewall for a server?  Are there some features of hardware firewalls
> that make them worthwhile above the firewall already available?
>
> This will be a RHEL box and I will only have this one machine.  I can
> foresee using multiple RHEL boxes (web + DB) at some point.  The data
> on the machines is just "typical stuff" i.e. not medical records nor
> financial institution records nor...
Talk about your big questions!  This is likely to start up yet another 
philosophical debate or contest of wits, which I'll volunteer to bow out 
of before it begins (I refuse to become engaged following this post).  
Disclaimer aside, here is my opinion, based on my own experience.  This 
is probably an extreme case (and believe me, I can still tighten it down 
even further if motivated to do so), compared to most other opinions 
that you will receive.

First, the environment (my SOHO):
* 7 Servers, mixed environment (Windows 2K/3 and CentOS/RHEL).
* 3 Workstations, all Windows XP Pro.
* Several network appliances (including video games consoles).
* BOTH Hardware and Software firewalls are utilized.

At the hardware level, I employ both NAT and CBAC firewall mechanisms.  
At the software level, I employ IPTables and Windows Firewall -- based 
on the OS.  In all cases, I follow a whitelisting firewall philosophy 
(with additional dynamic blacklisting rules based on attack pattern 
detection) as opposed to a blacklisting philosophy.  If you're 
unfamiliar with the difference:
* Whitelisting firewalls means ALL ports/services are BLOCKED by default 
and ONLY predicted, necessary ports/services are permitted.
* Blacklisting firewalls means the device is WIDE OPEN and ONLY 
"troublesome" ports/services are blocked and/or only "troubled" external 
IPAs are blocked.

Additionally, I treat all networks as hostile, both internal and 
external.  This means that even the "inside" footprints of my servers 
are based on whitelisting rules.

While the initial design and configuration was somewhat tedious, the end 
product is simple.  No machine on my network has any visible ports that 
I don't expressly determine, either on the public IPA or the internal 
IPA.  In theory, this should contain any intrusive attempts to the 
single compromised machine, should that ever become the case, greatly 
reducing the capacity of any hacker/virus/worm/etc. to propagate on my 
LAN (or outside, for that matter).

Bear in mind that I also use physical barriers.  I have 7 servers in 
this configuration (at HOME).  This isn't necessarily because of the 
amount of traffic I handle.  In truth, I handle far less than all this 
hardware is capable of.  Rather, my database server, mail 
policy/scanning server, file server, and Windows domain controller have 
no public access whatsoever -- no external IPA (no inbound route from 
the router).  While I provide a full set of hosting features (web, ftp, 
smtp, pop3, imap, dns), no machine handles more than its limited-scope 
services; meaning my gateway mail server offers no pop3/imap features 
and my web/ftp servers offer no external mail services whatsoever.  Each 
machine offers only a limited, tightly related set of services based on 
function.

For a look at how I handle just e-mail, take a look at (even 
server-to-server mail handling is over SSL):
http://www.kimballstuff.com/files/networking/E-mail_Handling.png

That was the technical part, here's the philosophy:
As you can see, it is my opinion that you cannot take security lightly, 
regardless whether you're handling a personal web site or 
mission-critical (credit-card/medical/military/government) 
services/data.  One compromised machine is one more zombie on the web 
that is ripe for spammer/phisher/attack activities.  I will not tolerate 
having any machine under my control being used for unlawful means.

I realize that even policies like my own are not infallible and 
consequently, I make no claim that mine is.  I scrutinize my log files 
(not only the LogWatch output, but my router and firewall logs as well) 
regularly in an effort to identify when -- not if -- a hack occurs.  
I've been doing this since late 2000 and so far, I'm clean (as far as I 
can tell).


If you're asking whether you should get a hardware firewall, my answer 
is this:
Absolutely, and fortify it with an additional layer of software 
firewalls!  Apply as many security techniques as you know how to and 
review your security footprint (scan your own network from both inside 
and outside) and performance regularly (check your logs)!  Good security 
requires diligence, patience, and luck.

More information about the clue-tech mailing list