Re: Reasons for using an external firewall

["Steve Bremer" <steveb () nebcoinc com>]

> However in this setup, how much extra protection can an external
> firewall give? The machines have to have open ports portforwarded

        If your web/db servers are properly secured, then the 
additional protection for your web/db servers is minimal.  However, 
the fw will give you an extra layer of protection if additional services 
are opened on the web/db servers (by accident or intentionally).  
You are correct in that it will not help prevent any exploits for 
services that can be accessed from the Internet.

        Here is the real benefit I see to have the firewall: intrusion 
detection.  Your firewall should be configured to prevent the web/db 
servers from making unnecessary connections to hosts on the 
Internet.  For example, why should your web server need to make 
http/ftp requests to other hosts (there are exceptions obviously)?  If 
properly restrict and log outbound traffic at the firewall, you will see 
any attempts made by our web/db servers to connect to hosts on 
the Internet.  If your web server starts making connection attempts 
to www.evildoers.com, you should probably look into it.
        In many cases, after a host is compromised, the next step 
for the cracker is to download software to your host that lets the 
cracker do what he/she wants.  If you prevent your web server from 
initiating outbound connections to the Internet, you've just thrown up 
another roadblock for the cracker.  Yes, you could do this with 
iptables/ipchains/ipfilter on the web server itself, but if it is a root 
compromise, the cracker can disable the filtering you've set up.
        Basically, you're being a nice netizen by helping to prevent 
your systems from being used to attack others. 

Steve Bremer
NEBCO, Inc.