to firewall or not to firewall?

Printable View

07-05-2011
zflash78

to firewall or not to firewall?

Hello,

We had a small conflict today at work whether or not there is any major advantage to setup a firewall to a relatively small web server box or to leave it without any.
I was in favor of not to have any firewall, because actually I don't see any major point to simply put a default drop policy and just open port 80.
The only advantage that I can think of is that you can check things like: the sanity of tcp/ip state (ie. not to accept ACKs if there is not even an established handshake, etc), or port scanning or ip spoofing or other similar "silly" stuff.

What do you think?

Thanks
ilias
07-05-2011
hans51

my philosophical answer would be
to die or not to die

in a web server (www accessible) you start to have hackers usually before you even finished your basic configuration of a server
of course some call it background noise - and if your entire server completely secured and ALL your software installed has ZERO security issues at all (known AND unknown) ...
you may go without FW

however who in the world can say his server is secured if even gov, mil and banks can't secure theirs with all the money they got to hire and use the top professionals in the world.

a firewall may have many opportunities to let you sleep better
there still remain enough reasons for nightmares on servers to occur even if you have mod_security and snort properly installed and configured

a firewall - if nothing else at all - helps you to reduce your error_log by simply blocking all the known IP networks used by hackers and by reducing potential hacker traffic to a iptables blank page you release server load for the thousands or ten thousands and more attempts each day

hence my practical answer is YES to firewall
fail2ban and other security SW depend on running firewall on server
07-06-2011
zflash78

Quote:

Originally Posted by hans51

my philosophical answer would be
a firewall - if nothing else at all - helps you to reduce your error_log by simply blocking all the known IP networks used by hackers and by reducing potential hacker traffic to a iptables blank page you release server load for the thousands or ten thousands and more attempts each day.

hence my practical answer is YES to firewall
fail2ban and other security SW depend on running firewall on server

I completely agree with you. Content firewall is the only reasonable security measure in our case (I had used snort+guardian in the past but it was a pain in the ass to keep it updated). Fail2ban looks nice too, I will try it.

But in order to avoid any misunderstandings, perhaps I didn't make my self clear in the first place: The whole argument at my work was about using only iptables (just to set drop as default policy and open port 80). Absolutely nothing more.
I hope we all agree that this is simply inadequate and almost completely unnecessary.