While trying not to be rude, I'm not sure where you got the impression that firewalls are somehow obsolete. The role of a firewall today is the same as it has always been: to stand between private hosts and the public internet.
You've made several statements that I think involve incorrect assumptions: "when all sorts of stuff would leave open unsecured ports lying around." Define "unsecured port". Arguably, any port is an "unsecured port" if it's open to the internet. It's the sysadmin's prerogative as to whether the port should be secured (protected by a firewall) or not. Applications listen on ports. Sometimes you have an application running that you don't want listening to just anyone who connects to it. For example, let's say you're running MySQL on your database server, which will serve database connections to a cluster of three app servers. A firewall makes it possible to restrict connections on TCP port 3306 (MySQL) to specific hosts. MySQL has the ability to restrict logins to specific hosts, but it is not uncommon for networked software to contain vulnerabilities that allow remote attackers to obtain privileged information by sending specially crafted requests. The heartbleed OpenSSL vulnerability is a great example. A firewall allows you to restrict who can make such requests. These days, it's more common to run firewall software directly on the database server than it is to use a separate device. However, once your infrastructure grows past a certain point, running individual firewalls on every hosts becomes a pain to support, so you may eventually grow to a point where you want to run a private network that is entirely behind a separate firewall device. Firewalls allow a sysadmin to implement a policy called default deny. The policy of default deny is a good security practice. Under this policy, you deny all traffic by default, then specify exactly what you want to allow through. This protects you from accidentally exposing ports and software that you don't explicitly want to. Firewalls are alive and well, and if you run your own servers, I'd strongly encourage you to install a firewall. Set it up for default deny, and explicitly open ports to the services you want to allow. On Friday, April 11, 2014 3:15:33 PM UTC-4, Ian Young wrote: > > This is a genuine question, not trolling I promise. > > In this day and age, what is the benefit of firewalls? I know they were > important in the old days of the web, when all sorts of stuff would leave > open unsecured ports lying around. And I know they're still useful in, say, > a small office with networked printers and whatnot. But on a modern web > application server, is a firewall necessary? What benefits does it provide? > -- -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby --- You received this message because you are subscribed to the Google Groups "SD Ruby" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
