do i need hrdwre AND sftwre firewall?

[yanksfan]

Hi,
I have a web/mail server (using linux) for 3 very small websites that is behind a 4-port router and has a built in firewall (It's a home router, so the firewall is not very configurable -- plus it doesn't filter outgoing traffic, only incoming.) The firewall only lets port 80 and 25 be visible to the internet. Everything else (ftp,ssh) is only accessible to the four comp network.

Anyways, is it worth it to configure another firewall on the linux server using ipchains (for extra security)?

-Mike

[avdven]

First of all, most routers with built in firewalls actually only use NAT (Network Address Translation) which isn't really considered a firewall. I don't mean to correct you, I just thought you might be interested in knowing that.

As for a firewall, if you are serving web sites, I highly recommend setting up a firewall. If you don't want to spend money and buy a good hardware firewally, Ipchains are pretty easy to set up (there are plenty of tutorials on the subject both here and elsewhere on the Internet) and will protect you nearly as good, if not better, than a commercial hardware firewall.

AJ

[yanksfan]

Ok, I threw up a quick and dirty firewall. Here's the config for it. Please tell me if I missed something important, or if I'm leaving a big hole -- whatever:

(Input)
target prot opt source dest ports
ACCEPT tcp ------ 0.0.0.0/0 192.168.2.196 * -> 80
ACCEPT tcp ------ 0.0.0.0/0 192.168.2.196 * -> 25
ACCEPT tcp ------ 192.168.2.0/24 192.168.2.196 * -> 22
ACCEPT tcp ------ 192.168.2.0/24 192.168.2.196 * -> 110
ACCEPT tcp ------ 192.168.2.0/24 192.168.2.196 * -> 21
ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> *

Foward (polict accept)

Output:
ACCEPT tcp ------ 192.168.2.196 192.168.2.0/24 20 -> *
ACCEPT tcp ------ 192.168.2.196 0.0.0.0/0 * -> 25
ACCEPT udp ------ 192.168.2.196 0.0.0.0/0 * -> 53
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> *


-Mike

[tonybradley]

I think it is generally a good security practice to implement multiple layers. If someone gets past your first line of defense you will still have one or more other ways to detect or block the threat.

A hacker may develop a knack for bypassing certain types of security or security from certain vendors. Additionally, an attack vector may be caught by one type of security application and missed by another. By applying a hardware and a software firewall you hopefully will catch with one what the other one misses.

[MrLinus]

yanksfan,

How old is your linux kernel? I'd suggest IPTABLES over IPCHAINS because, IMHO, it's designed better and has more flexibility to meet the needs of a website without compromising security (there are a few security flaws in IPCHAINS in the general design of it).

IPCHAINS can use kernels 2.1.x and higher.

IPTABLES can use kernels 2.4.x and higher.

[tampabay420]

Originally posted here by tonybradley

For more information on applying layered security, see:

In Depth Security [/B]

SPAM!
i'm not sure i like this- that's the 20th link to about.com i've seen on the boards in the past two days... i undertsand that you want to advertise your employer (about.com) but around here 0- we call this Spam? s0rry if i seem harsh

[tonybradley]

My apologies. It wasn't intended as spam per se. I am going back through and editing my posts to correct this misdeed and simply post my opinions directly in my post rather than referring to my works elsewhere.

Hopefully I can redeem myself and bring my Antipoints out of the gutter.

[mohaughn]

SPAM in almost all cases is email where you are trying to sell something without somebody asking you to come and sell them on that particular item. If tonyb is very familiar with the content of a particular website because he works there then so what if he posts links from that site. He is not trying to sell you anything. The link he posted was very valid to the original question that was asked, and negging him for posting valid information is totally against what this site is about. Sharing information about the various aspects of network security. If he were just putting posts saying, "hey, come look at my site http://xyz.xyz.xyz." Then you could neg him for spam.

So if I post a link to an article on MS's site detailing the intricacies of a particular vulnerability am I spamming for MS?

[vescovono]

Just saw this:

First of all, most routers with built in firewalls actually only use NAT (Network Address Translation) which isn't really considered a firewall. I don't mean to correct you, I just thought you might be interested in knowing that.

So just to clarify, I have a couple Linksys routers that our company gives us to protect our home highspeed connections. I will cross-check with Linksys, but we were told that those routers would offer a layer of protection. We also bought the Symantec Internet Security and added that as well. This keeps being a moving target for us.

Thanks for the info!

[AciDriveHB]

I totally agree mohaughn. I mean even though we are on Ao, we still refer a lot of people to tutorials and stuff that is on the AO server right... wouldn't that be the same idea? IF someone knows a website well, then they should be able to refer people to it without people saying that person is a "SPAMMER"! Unless someone is getting paid for every hit that is going to about.com? Then that would be totally bad news!

<-- My two cents on the matter...