1999-11-26-05:09:08 Andrew Lawrence:
> As a newbie to the firewalling arena I'm trying to make an informed decision
> as to what firewall to install in 2 scenarios.
Making an informed decision ends up being a rather protracted and iterative
process. You need to determine what your requirements are, and what options
are available, and try and match them up --- but doing a really good job of
defining your requirements ends up havingto be informed by some knowlege of
available firewall-building components; there's no point in specifying
something that's impossible or unaffordable. So you end up needing to go back
and forth between researching the field and refining your security policy.
> The first is a web server sat on the Internet [...] One firewall vendor told
> me it was pointless having a firewall to guard my web server !
Good vendor!
An internet web server should be run on a hardened host; it should have a
well-maintained IP stack with no known open Denial-of-Service (DoS) bugs, and
it shouldn't be listening on any ports except the web server port[s]. A
firewall would still have to pass that traffic through to it, so it could do
its job; a properly-secured web server needs no firewall at all.
I also run an sshd for remote admin and content updates. I also beef up the
security stance by adding packet filtering; it prevents anything from
listening on the net without my intending it (so I can run daemons that are
only accessible locally, if necessary); it lets me control where some daemons
can be accessed from (e.g. only allow sshd to come in from the net where the
administrators work), etc. Good packet filters are available for just about
any Unix out there; I use ipchains on Linux and IPFilter on everything else.
> and the second is a firewall to guard our internal network when we connect
> to the Internet via a leased line.
That's the much harder decision. A firewall is probably a good idea. I tend to
favour hybrid proxy/packet-filters implemented with open source components,
for most applications. But to properly configure _whatever_ firewall you get
--- and to make sure the firewall you choose can meet your needs --- you need
to start by writing a security policy, and that security policy will need to
define exactly what you are going to permit and what you are going to
prohibit. Furthermore, you need to ensure that the policy can be enforced, and
so it will need to explain _why_ it includes the mandates. By the time you get
a good security policy defined, actually configuring the firewall to enforce
it will be easy.
-Bennett
PGP signature
