Re: FW: Linux server as it own firewall

From: Brian Cervenka (brian@zerobelow.org)
Date: 09/12/01


Date: Wed, 12 Sep 2001 12:59:34 -0700 (PDT)
From: Brian Cervenka <brian@zerobelow.org>
To: James Puckett <jpuckett@ticom.com>
Subject: Re: FW: Linux server as it own firewall
Message-ID: <Pine.LNX.4.33.0109121251210.25585-100000@abalone.zerobelow.org>


> All,
>
> I am considering having the firewall for a Linux server I am
> building
> running on the server itself using IPTables. This server will see very
> little
> load, so performance will probably not be an issue. What I am wondering is,

A well-designed ruleset shouldn't add significant load.

> what are the implications of having a Linux box on the internet running its
> own firewall? The way I see it, if someone can manage to break into a locked

Having the daemons on the box will make it easier to break into, and if
someone does gain root on a service, they can open a backdoor then change
the firewall to drop protection on that port. A network-based firewall,
however, can be made tougher to break into (no remote management, no
daemons, etc), and could be configured to disallow this access.

> down firewall, he will not have too many problems getting into the machines
> behind the firewall. On the other hand, if the attacks take a while to go
> off, the extra time it takes to get into the server behind the FW could be
> what saves the server if the intrusion is detected. I also wonder about the
> obvious problem of having extra daemons on the firewall adding to the number
> of exploitable holes on one machine.

Using iptables doesn't exactly add any extra daemons on the box...so that
won't open a problem in itself.

> Overall I am really against the idea, but in the long run working
> this way
> could save some money, and if it looks like the system won't be made too
> insecure this could be a viable idea.

Possibly a better solution might be to run a network firewall, AND a
host-based firewall. This way, you have two layers of protection, and you
are even protected if you typoed and messed the rules on one of the boxes.

Also, using a host-based firewall could give you an opportunity to use two
different firewall vendors to protect yourself, so a vuln in one vendor's
implementation will not result in a hole. (the old iptables ftp hole
thing, etc).

--brian