Best of the ISP-Lists

To Firewall, Or Not To Firewall?

That is the question—whether ’tis nobler in for the server to suffer the slings and arrows of outrageous fortune, or to take arms against a sea of troubles, and by opposing end them and their cursed intrusions.

[December 18, 2002]

Members of the ISP-Webhosting list discuss the pros, cons, and possible tragic consequences of putting up a firewall between a router and a server. In December, [NM] queried the group about the best way to proceed:

"I have been toying with the idea of putting a firewall between our border router and our collocation/web hosting servers. My goals are to:

1) Deter would-be script kiddies, and

2) Make DoS attacks a little less frequent.

However, I see many more problems resulting from this than benefits gained. For example, latency, single point of failure, expense, time, maintenance and probably the biggest headache initial and reoccurring configuration are all issues. But on the other hand if I use a Linux solution I can easily add traffic shaping without a lot of trouble. And that may be the 'golden ticket.'

Does anyone have feedback for me? Have you successfully done this? Do you think it is more problems then it is worth? If you have I am just curious to what software/hardware you used and would you do it the same way again if you had to?"

[DS advised] "I was afraid for the same reason, but I am half there. I have setup a network IDS in between. It's passive, and the network can run perfectly without it."

[BG said] "I was thinking about using this VelociRaptor I have sitting here, but I am the same way... software firewall ... hardware failure … network is down. Even thought about something like WatchGaurd.

[ed. note: Symantec VelociRaptor is an integrated hardware and software firewall/VPN appliance that employs full-inspection technology to provide a fast and secure connection to the Internet. The single-rack unit high (1U) appliance filters traffic and integrates application level proxies, network circuit analysis, and packet filtering. To protect networks and confidential information, Symantec VelociRaptor inspects all levels of the protocol stack, including application proxies.

WatchGuard is also a provider of Internet security solutions. The company was a pioneer in the creation of the plug-and-play Internet security appliances and offers solutions for organizations of all sizes.]

Right now we have Portsentry/Logcheck and IP Tables on each server which has always worked well."

[PG said] "Booting from floppy or using a Compact Flash card with enough RAM to hold all needed files eliminates the main source of problems, the always spinning hard disk.

I am in the process of using OpenBSD to setup a transparent bridging firewall for my hosts, combined with packet filtering and possibly bandwidth shaping as well. Using IPFM for bandwidth monitoring.

I like the idea of a firewall on a floppy. That would make things pretty simple to administer let alone redundancy would be fairly simple as well. Very interesting.

And of course OpenBSD, the security workhorse of the Internet. I like it."

[GC said] "We are doing this with a Cisco PIX 525 so far with no problems."

[NM replied] "I guess I should stop toying with the idea and get on with it."

—End