4

I see the main reasons for a firewall on a web server to be defense in depth and extra cushion for a possible admin error of running an unnecessary daemon. I'm trying to see if I am overlooking something. I am thinking that in a situation where you have a small infrastructure (a few servers) that you control it's not feasible to deploy a firewall.

m33lky
  • 225
  • 2
  • 6

3 Answers3

11

As you've implied, security is about layers. Systems get attacked and they get breached in a myriad of ways. By layering our security solutions, we prevent our systems from being subject to a single point of security failure. Sometimes people put firewall devices off-box and sometimes they also put them on-box. Sometimes they do both for just the reason you state: to protect against configuration errors -- a very real, well-defined, and exploitable human condition.

However, from reading your question, it almost sounds like you do not have the infrastructure to support a firewall off-box. So if it comes down to NOT having a firewall and having a firewall -- albeit on your web server -- then put the firewall on your server. The firewall prevents more than just connections to other services. It can prevent certain types of flooding attacks, it can prevent odd and malicious packets from entering the system, it can protect against operating system weaknesses, it can protect against mapping your network and it can protect against data being exfiltrated from your system.

logicalscope
  • 6,344
  • 3
  • 25
  • 38
3

In addition to logicalscope's excellent answer, it's worth bearing in mind that in most cases, a firewall implemented in the OS introduces significantly less latency than one on a separate device. OTOH, OS firewalls vary in the amount of the system they expose before filtering is applied.

in a situation where you have a small infrastructure (a few servers) that you control it's not feasible to deploy a firewall.

That's not a good reason for not having a seperate firewall. Even the most basic of routers currently available provide some firewall functionality. And since you're going to need some sort of routing (i.e. you've got a latency overhead anyway) it's downright reckless not to apply both ingress and egress filtering.

symcbean
  • 18,278
  • 39
  • 73
0

It isn't just the risk of an admin issue, having a firewall on a separate device reduces your risk of attack:

  • A device which just runs as a firewall has a much smaller attack surface than a web server, which will have a large number of services running.
  • A firewall device will, in most cases, have considerably lower latency than one implemented on a server which is also running other things

However, the main attacks you are going to see will not target the firewall anyway, but will be aimed at the web server, so a normal firewall will just let that traffic on port 80 or 443 through, so in a small, cost-constrained environment if you can at least add some filtering or an access control list on your router and then have a firewall running on your server you are at least reducing yours risks in a cost effective way.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Maybe this should be a separate question, but how would your firewall setup be different in a cloud environment? Unless you're a big client, I don't think they'll give you a rounter. I'm guessing you'd implement the firewall on your loadbalancing machine. – m33lky Dec 29 '11 at 18:17
  • @m33lky - Often a cloud provider will let you use a virtual firewall machine, or if not, you should be able to define an ACL for the router which provides your connection. You can virtualise every part of your environment if necessary. Loadbalancers are generally a bad place to install firewalls - they have a high enough load anyway. – Rory Alsop Dec 29 '11 at 20:13