Re: FW: Linux server as it own firewall

From: Brian Cervenka (brian@zerobelow.org)
Date: 09/12/01 

Date: Wed, 12 Sep 2001 12:59:34 -0700 (PDT)
From: Brian Cervenka <brian@zerobelow.org>
To: James Puckett <jpuckett@ticom.com>
Subject: Re: FW: Linux server as it own firewall
Message-ID: <Pine.LNX.4.33.0109121251210.25585-100000@abalone.zerobelow.org>

> All,
>
> I am considering having the firewall for a Linux server I am
> building
> running on the server itself using IPTables. This server will see very
> little
> load, so performance will probably not be an issue. What I am wondering is,

A well-designed ruleset shouldn't add significant load.

> what are the implications of having a Linux box on the internet running its
> own firewall? The way I see it, if someone can manage to break into a locked

Having the daemons on the box will make it easier to break into, and if
someone does gain root on a service, they can open a backdoor then change
the firewall to drop protection on that port. A network-based firewall,
however, can be made tougher to break into (no remote management, no
daemons, etc), and could be configured to disallow this access.

> down firewall, he will not have too many problems getting into the machines
> behind the firewall. On the other hand, if the attacks take a while to go
> off, the extra time it takes to get into the server behind the FW could be
> what saves the server if the intrusion is detected. I also wonder about the
> obvious problem of having extra daemons on the firewall adding to the number
> of exploitable holes on one machine.

Using iptables doesn't exactly add any extra daemons on the box...so that
won't open a problem in itself.

> Overall I am really against the idea, but in the long run working
> this way
> could save some money, and if it looks like the system won't be made too
> insecure this could be a viable idea.

Possibly a better solution might be to run a network firewall, AND a
host-based firewall. This way, you have two layers of protection, and you
are even protected if you typoed and messed the rules on one of the boxes.

Also, using a host-based firewall could give you an opportunity to use two
different firewall vendors to protect yourself, so a vuln in one vendor's
implementation will not result in a hole. (the old iptables ftp hole
thing, etc).

--brian

Relevant Pages

  • Re: Feedback solicited - best way to harden a mail/web server?
    ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ...
    (comp.os.linux.security)
  • Re: CEICW fails at firewall config
    ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Confused about bridging, firewall (iptables), and DHCP
    ... and qemu and CentOS in it are working fine. ... server can't use qemu's default user mode network, ... tun driver, and also past iptables). ... outside the iptables firewall. ...
    (Fedora)
  • Re: Confused about bridging, firewall (iptables), and DHCP
    ... and qemu and CentOS in it are working fine. ... server can't use qemu's default user mode network, ... tun driver, and also past iptables). ... outside the iptables firewall. ...
    (Fedora)