10

We have a strong perimeter firewall. Would it make sense to still use IPTables on each host to hard block any and all ports except for the ones that are needed (DNS, 80 for the web server, nagios ports, etc.), or would this just lead to inefficiency. The web server gets millions of hits per day.

user974896
  • 317
  • 4
  • 9
  • 3
    Yes you should - it's called defence in depth. –  Oct 16 '12 at 13:57
  • Do you know of a good overall checklist of things such as this (disable unnecessary services, disable ports, etc) just so I can systematically check things off and make sure I'm not missing any? – user974896 Oct 16 '12 at 14:15
  • 1
    I like the CIS benchmarks at http://benchmarks.cisecurity.org . They address various operating systems and some common services (Apache etc.). – hwilbanks Oct 16 '12 at 15:29

2 Answers2

15

Yes, it is a good idea to lock down all of the hosts inside the firewall as well to protect against any threats coming from your internal network. That way, if someone gains access to your network or if there is a virus/worm/etc attacking your local machines, there are that many fewer services that could potentially be compromised.

Someone else will need to speak to the inefficiencies in this particular case, although my suspicion is that they would be negligible.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
Justin Ethier
  • 1,938
  • 3
  • 14
  • 20
  • Thanks. As I mentioned in my previous comment do you know of a good "best practices" security checklist. I know a lot of them are common sense but would like a systematic way of auditing each host that is backed by industry standards. – user974896 Oct 16 '12 at 14:42
  • One option it to use a tool such as nessus to automatically scan your hosts for vulnerabilities. – Justin Ethier Oct 16 '12 at 14:57
  • That's part of the plan :), I'm actually playing with it right now. I noticed that there weren't many local configuration checks although nessus does have the ability. For example I do not see a plugin that does not check php.ini to check for things like disabled functions. – user974896 Oct 16 '12 at 15:08
8

Definitely do this. I've made it a habit to deploy services using Puppet, so the allow service rules are written into the same definition file that installs the service. The generic firewall manifest file finishes off by dropping everything I didn't otherwise allow (besides ICMP. Don't turn off ICMP).

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171