[clue-tech] necessity of external hardware firewall

[Ken MacFerrin]

Greg Knaddison wrote:
> Howdy,
> 
> For my home desktop I've always followed the advice from my Linux
> books that said something like "The firewall that ships with Linux is
> pretty decent, so just use that and don't worry about an external
> device."
> 
> I'm about to get a dedicated server to run typical website services:
> www, smtp, imap, mysql, etc.  Is it worth getting an external
> firewall?  What factors would impact your decision to have an external
> firewall for a server?  Are there some features of hardware firewalls
> that make them worthwhile above the firewall already available?
> 
> This will be a RHEL box and I will only have this one machine.  I can
> foresee using multiple RHEL boxes (web + DB) at some point.  The data
> on the machines is just "typical stuff" i.e. not medical records nor
> financial institution records nor...
> 
> Thanks for your thoughts,
> Greg

I prefer both.  I use a dedicated firewall as a bastion host and then
individually protect each server/PC/workstation with an individual
firewall to only allow access for needed services.  For the Win boxes in
the house that usually means an application proxy such as ZoneAlarm and
iptables for the linux boxes.

For home use I think spending the money for a dedicated hardware
firewall with any decent feature set is overkill, although you will
typically see benefits of improved reliability and lower power
consumption.  I personally like the flexibility of using an old PC
(~500Mhz) and running either a distro with SELinux & netfilter (I highly
recommend Shorewall for building rules) or OpenBSD & pf.  The upside is
this allows for nearly unlimited configurations and the ability to tie
into things like an IDS/IPS (ie snort_inline).  The downside is that you
need to spend the time to get everything configured and keep it updated.
 Another thing for consideration is if you want UPnP support.  It's
certainly not the most secure, but if you have a family that uses online
gaming, P2P and IM then it can save you a lot of port mapping.
Unfortunately, linux UPnP support (via the linux-igd project) is
horribly dated and buggy so installing it yourself can be a less than
enjoyable experience.

If you don't want to spend the money on a dedicated appliance or spend
the hours to do it yourself then you can grab an old PC and try one of
the dedicated firewall distros such as Smoothwall, IPCop, mOnOwall, etc.

If you want to keep everything (dedicated firewall & server) on one box
and are a glutton for punishment you can use Xen to run them as separate
servers on the same hardware: http://www.shorewall.net/XenMyWay.html

-Ken