Security Basics mailing list archives
Re: Firewall on server itself
From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Wed, 25 Jun 2003 09:49:49 -0600
On Wed, Jun 25, 2003 at 02:24:46AM -0400, Anish Basu wrote:
web server will be running Red Hat 9.0. Is there any reason to install and configure firewall software such as IPTables on the web server itself? Are there any advantaqes or disadvantages to having two firewalls set up this way?
There are three, as I see it, reasons to setup a firewall on a server and at the boundry. - You protect your server from the other servers - If your boundry firewall malfunctions, your server's firewall is much better than nothing - You can be super restrictive on the server firewall, maybe more so than makes sense on the boundry firewall The downside: - You now have one more firewall to maintain - You will feel super secure behind two firewalls, for no reason, and let other things slide because of it - like patching the web server software which isn't protected by the firewall by definition - Bugs in the server's firewall software will reduce the stability of the server (happened to me just last week - IPTables got very unhappy about something and we had to reboot) - There is a performance price to pay for server firewalling If the following is true, the server firewall buys you little: - your server is in your DMZ - your server has no sensitive data - your server has no unique data - none of the machines in your private network trust any machine in the DMZ - you can restore your server to 100% functionality in 4 hours or less well... maybe 95% functionality, my servers rarely are 100% functional ;) If any of those are not true, making them true will aid you better than a server firewall. If you can't make all of them true, try harder. If you still can't then I'd say add the server firewalling. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt () cpsc ucalgary ca University Of Calgary (_)/(_) T minus 4 weeks to Peru Computer Science --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Firewall on server itself Anish Basu (Jun 25)
- Re: Firewall on server itself Brad Arlt (Jun 26)
- Re: Firewall on server itself Volker Kindermann (Jun 26)
- Re: Firewall on server itself Michael P (Jun 26)
- Re: Firewall on server itself Ansgar Wiechers (Jun 26)
- RE: Firewall on server itself Firegoblin Postmaster (Jun 26)
- Re: Firewall on server itself Mitch Pirtle (Jun 26)
- <Possible follow-ups>
- Re: Firewall on server itself Justin Pryzby (Jun 26)
- RE: Firewall on server itself DeGennaro, Gregory (Jun 26)
- RE: Firewall on server itself Gene LeDuc (Jun 26)
- Re: Firewall on server itself chris (Jun 26)
- RE: Firewall on server itself Depp, Dennis M. (Jun 26)
(Thread continues...)