Security Basics mailing list archives
Re: Reasons for using an external firewall
From: "Steve Bremer" <steveb () nebcoinc com>
Date: Wed, 20 Nov 2002 09:41:11 -0600
However in this setup, how much extra protection can an external firewall give? The machines have to have open ports portforwarded
If your web/db servers are properly secured, then the additional protection for your web/db servers is minimal. However, the fw will give you an extra layer of protection if additional services are opened on the web/db servers (by accident or intentionally). You are correct in that it will not help prevent any exploits for services that can be accessed from the Internet. Here is the real benefit I see to have the firewall: intrusion detection. Your firewall should be configured to prevent the web/db servers from making unnecessary connections to hosts on the Internet. For example, why should your web server need to make http/ftp requests to other hosts (there are exceptions obviously)? If properly restrict and log outbound traffic at the firewall, you will see any attempts made by our web/db servers to connect to hosts on the Internet. If your web server starts making connection attempts to www.evildoers.com, you should probably look into it. In many cases, after a host is compromised, the next step for the cracker is to download software to your host that lets the cracker do what he/she wants. If you prevent your web server from initiating outbound connections to the Internet, you've just thrown up another roadblock for the cracker. Yes, you could do this with iptables/ipchains/ipfilter on the web server itself, but if it is a root compromise, the cracker can disable the filtering you've set up. Basically, you're being a nice netizen by helping to prevent your systems from being used to attack others. Steve Bremer NEBCO, Inc.
Current thread:
- Reasons for using an external firewall John P (Nov 20)
- Re: Reasons for using an external firewall Paul Cardon (Nov 21)
- Re: Reasons for using an external firewall Steve Bremer (Nov 21)
- Basic rules for IPTABLES protection Erick Arturo Perez Huemer (Nov 25)
- RE: Basic rules for IPTABLES protection Michael Sconzo (Nov 26)
- Re: Basic rules for IPTABLES protection Patrick Benson (Nov 26)
- RE: Basic rules for IPTABLES protection BurntCircuit (Nov 26)
- Need Help Building Linux Based Firewall Khuzairi Yahaya (Nov 27)
- Re: Need Help Building Linux Based Firewall Johannes Ullrich (Nov 28)
- Re: Need Help Building Linux Based Firewall Jason Dixon (Nov 28)
- Re: Need Help Building Linux Based Firewall phani (Nov 28)
- Re: Need Help Building Linux Based Firewall Devdas Bhagat (Nov 29)
- Basic rules for IPTABLES protection Erick Arturo Perez Huemer (Nov 25)