Re: Firewall on server itself

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2003-06-25 Anish Basu wrote:
> I am trying to set up a secure web server which will already be
> protected by a dedicated harware firewall.  The hardware firewall will
> be configured to protect the web server as well other computers on the
> network.  The web server will be running Red Hat 9.0.  Is there any
> reason to install and configure firewall software such as IPTables on
> the web server itself?

I don't think that would make sense. If an intruder could exploit the
web server to gain root privileges, why would he stop from changing the
iptables rules? If you don't trust your firewall, throw it away and get
some other.
IMO it would make more sense to move the web server into a DMZ instead.

> Are there any advantaqes or disadvantages to having two firewalls set
> up this way?

You will have to maintain two rulesets, which will make your firewall
more complex and therefore more susceptible to security breaches. IMHO.

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------