Re: Linux server as it own firewall

From: Ross Del Duca (ross_delduca@delducagroup.net)
Date: 09/13/01


Date: Wed, 12 Sep 2001 19:49:05 -0700
From: Ross Del Duca <ross_delduca@delducagroup.net>
To: focus-linux@securityfocus.com
Subject: Re: Linux server as it own firewall
Message-Id: <20010912194905.6021863b.ross_delduca@delducagroup.net>

On Wed, 12 Sep 2001 13:25:21 -0400
James Puckett <jpuckett@ticom.com> wrote:

> All,
>
> I am considering having the firewall for a Linux server I am building
> running on the server itself using IPTables. This server will see very little
> load, so performance will probably not be an issue. What I am wondering is,
> what are the implications of having a Linux box on the internet running its
> own firewall? The way I see it, if someone can manage to break into a locked
> down firewall, he will not have too many problems getting into the machines
> behind the firewall.

I personally use this configuration for my web servers. One of the advantages I see is that, by moving the security mechanisms (i.e. firewall) to the indivudial servers - you remove the potential 'single point of failure' of a network based firewall. Given that IPTables is integrated into the kernel itself, if the firewall should fail, it is a safe bet that there are problems with the services running on that machine anyhow.

> On the other hand, if the attacks take a while to go
> off, the extra time it takes to get into the server behind the FW could be
> what saves the server if the intrusion is detected. I also wonder about the
> obvious problem of having extra daemons on the firewall adding to the number
> of exploitable holes on one machine.

I don't really see the problem with extra deamons running. A given server would (should?) only have the deamons running that are necessary for the services that it is providing. If these are publically available services, then the firewall would have to let in traffic to those services anyhow. Just follow the standard first axiom of security: "If you don't need it, don't run it..."

>
> Overall I am really against the idea, but in the long run working this way
> could save some money, and if it looks like the system won't be made too
> insecure this could be a viable idea.

I think this is the cruz. By moving the firewalling to indivudial servers, you 1) don't need a dedicated firewall machine(s) 2) can isolate specific machines so that only specific services can get through (both from internal and external traffic - if that is an issue) and 3) Spread the firewalling load (which is really not much on most any machine) to only those machines immediately effected by a given rule.

Of course, on the other hand, the administrative duties are increased by this approach. Again, just follow the basic axiom. With many security mechanisms, it is deny all - oh yea, except this and this. With IPtables, it allow this, this and that. If else, then, well too bad.....