Re: Firewall on server itself

["Mitchell Rowton" <mitchell () attackprevention com>]

I agree that any device that has more stringent access requirements 
should be placed in an environment that will allow more granular 
control of the authorization.  (=put server in DMZ)

However adding iptables would be consistent with industry practices
Defense In Depth
Enclave Boundary Defense (not just perimeter defense)
M&M Security (hard on outside, soft and squishy on inside)

Perhaps the iptables could defend against an intruder who is already 
through the firewall because of many reasons:

Insider threat

Firewall vender specific vulnerabilities

Maybe you could just make device specific rules more restrictive that 
the firewall that covers ever device.

I’m sure there are other good reasons but in general any important 
device should have its own access controls (in my opinion)

Mitchell

> On 2003-06-25 Anish Basu wrote:
> > I am trying to set up a secure web server which will already be
> > protected by a dedicated harware firewall.  The hardware firewall 
will
> > be configured to protect the web server as well other computers on 
the
> > network.  The web server will be running Red Hat 9.0.  Is there any
> > reason to install and configure firewall software such as IPTables 
on
> > the web server itself?
>
> I don't think that would make sense. If an intruder could exploit the
> web server to gain root privileges, why would he stop from changing 
the
> iptables rules? If you don't trust your firewall, throw it away and 
get
> some other.
> IMO it would make more sense to move the web server into a DMZ 
instead.
> > Are there any advantaqes or disadvantages to having two firewalls 
set
> > up this way?
>
> You will have to maintain two rulesets, which will make your firewall
> more complex and therefore more susceptible to security breaches. 
IMHO.
> Regards
> Ansgar Wiechers
>
> ----------------------------------------------------------------------
-----
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top 
analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>      
> Find out why, and see how you can get plug-n-play secure remote 
access in
> about an hour, with no client, server changes, or ongoing maintenance.
>           
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ----------------------------------------------------------------------
------
>



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------