Re: Linux server as it own firewall

From: Scott Gifford (sgifford@tir.com)
Date: 09/14/01


To: focus-linux@securityfocus.com
Subject: Re: Linux server as it own firewall
From: Scott Gifford <sgifford@tir.com>
Date: 13 Sep 2001 22:10:55 -0400
Message-ID: <ly7kv2o72o.fsf@gfn.org>

Seth Arnold <sarnold@wirex.com> writes:

> On Wed, Sep 12, 2001 at 01:25:21PM -0400, James Puckett wrote:
> > I am considering having the firewall for a Linux server I am building
> > running on the server itself using IPTables.
>
> Every time someone mentions firewalls, I always think of a quote I heard
> once: "Firewalls are a symptom of broken hosts". (Anyone who knows the
> original source of this quote, please let me know privately. :)

Firewalls are another layer of protection for broken hosts. Mistakes
are made, and a good firewall can stop them from becoming fatal ones.
I used to work at a place that ran everything wide-open on the
Internet, and we did a lot of work to keep everything secure.
Nonetheless, a monitoring machine somehow fell off of our list of
machines to keep up-to-date with security patches, and was
compromised.

Many client-only machines run services they don't even know about, and
this also provides protection against that. For example, many ISPs
said users infected with CodeRed didn't even install IIS on their
machines; apparently some other applications take it upon themselves
to install IIS without warning you. Windows filesharing is difficult
to disable, and has been the source of security problems in the past.
Securing an NT machine at work, I found 10 different ports listening,
all by random applications that felt the need to listen on Internet
ports.

They make it easier to experiment inside your network. You can set up
a copy of apache on your workstation to play with, without worrying
about locking it down right away.

And they're a good part of "security in depth", making sure that you
have multiple layers of security so that if one is broken you're not
screwed.

The security in depth philosophy would also recommend a dedicated
firewall. Eventually, the machine will crash, and need to have the OS
reinstalled, and unless you're very careful, will have an insecure
setup. Probably, this will be in a crisis moment, and you'll worry
more about getting the services on the machine back up before worrying
about getting the firewall working, leaving you more exposed.

I would recommend that you buy a cheap firewall box. The router you
use to connect to the Internet can probably provide adequate
firewalling capabilities. For less than 10MB of bandwidth, many cheap
$300 consumer-grade firewalls should probably work just fine (make
sure it supports stateful packet inspection); a dedicated OpenBSD or
other UNIX machine can handle a bit more than that. For a bit more,
you can get a firewall and load-balancer combined, and improve your
reliability while improving your security.

----ScottG.



Relevant Pages

  • Re: Guide to secure installtion of IIS 5
    ... don't forget a well-configured firewall. ... Do not put the computer onto the network or the Internet until after the ... Follow the instructions for hardening Windows and IIS at ... Install all service packs and security fixes from Microsoft and otherwise ...
    (microsoft.public.inetserver.iis.security)
  • RE: security question
    ... You connect to the internet after your OS has booted up. ... security item is in place, only then you logon to internet right. ... By then your personal firewall would have loaded anyway. ... seconds of the network services thus reducing the window size. ...
    (Security-Basics)
  • Re: Another Newbie asking "Which Anti-Virus Sofware is the Best?"
    ... security patches for Windows, IE and OE. ... Do yourself a favor and purchase a external router/firewall since ... you wouldn't be able to browse the internet. ... a firewall is that you will have many open internet ports by default ...
    (alt.comp.anti-virus)
  • Re: my computer keeps dialing up for no reason?
    ... Dialer is a program that is often used to maliciously redirect Internet ... Windows XP users ... has integrated firewall - ... Download all the security updates - Critical updates with Express install. ...
    (microsoft.public.windowsxp.newusers)
  • Re: Cant connect afte rupgrade to 6.2
    ... If your password information is not saved, verify ... If you use a firewall (like ZoneAlarm, ... Internet Security etc.), it's possible ...
    (microsoft.public.windowsxp.messenger)