>
> However in this setup, how much extra protection can an external
> firewall give? The machines have to have open ports portforwarded
If your web/db servers are properly secured, then the
additional protection for your web/db servers is minimal. However,
the fw will give you an extra layer of protection if additional services
are opened on the web/db servers (by accident or intentionally).
You are correct in that it will not help prevent any exploits for
services that can be accessed from the Internet.
Here is the real benefit I see to have the firewall: intrusion
detection. Your firewall should be configured to prevent the web/db
servers from making unnecessary connections to hosts on the
Internet. For example, why should your web server need to make
http/ftp requests to other hosts (there are exceptions obviously)? If
properly restrict and log outbound traffic at the firewall, you will see
any attempts made by our web/db servers to connect to hosts on
the Internet. If your web server starts making connection attempts
to www.evildoers.com, you should probably look into it.
In many cases, after a host is compromised, the next step
for the cracker is to download software to your host that lets the
cracker do what he/she wants. If you prevent your web server from
initiating outbound connections to the Internet, you've just thrown up
another roadblock for the cracker. Yes, you could do this with
iptables/ipchains/ipfilter on the web server itself, but if it is a root
compromise, the cracker can disable the filtering you've set up.
Basically, you're being a nice netizen by helping to prevent
your systems from being used to attack others.
Steve Bremer
NEBCO, Inc.
