37

My hosting company says IPTables is useless and doesn't provide any protection. Is this a lie?

TL;DR
I have two, co-located servers. Yesterday my DC company contacted me to tell me that because I'm using a software firewall my server is "Vulnerable to multiple, critical security threats" and my current solution offers "No protection from any form of attack".

They say I need to get a dedicated Cisco firewall ($1000 installation then $200/month each) to protect my servers. I was always under the impression that, while hardware firewalls are more secure, something like IPTables on RedHat offered enough protection for your average server.

Both servers are just web-servers, there's nothing critically important on them but I've used IPTables to lock down SSH to just my static IP address and block everything except the basic ports (HTTP(S), FTP and a few other standard services).

I'm not going to get the firewall, if ether of the servers were hacked it would be an inconvenience but all they run is a few WordPress and Joomla sites so I definitely don't think it's worth the money.

Eddie C.
  • 487
  • 1
  • 3
  • 12
Smudge
  • 24,039
  • 15
  • 57
  • 76
  • 6
    Your hosting company sounds like a bunch of chancers! Nothing wrong with IPTables, and in most case it offers a lot more features than Cisco ASA etc. The recent module and limit module come to mind here. – Niall Donegan May 11 '11 at 14:28
  • 21
    Care to share what company this is, so the rest of us can steer clear? – Hyppy May 11 '11 at 14:32

6 Answers6

35

Hardware firewalls are running software too, the only real difference is that the device is purpose built and dedicated to the task. Software firewalls on servers can be just as secure as hardware firewalls when properly configured (note that hardware firewalls are generally 'easier' to get to that level, and software firewalls are 'easier' to screw up).

If you're running outdated software, there's likely a known vulnerability. While your server might be susceptible to this attack vector, stating that it is unprotected is inflammatory, misleading, or a boldface lie (depends on what exactly they said and how they meant it). You should update the software and patch any known vulnerabilities regardless of the probability of exploitation.

Stating that IPTables is ineffective is misleading at best. Though again, if the one rule is allow everything from all to all then yeah, it wouldn't be doing anything at all.

Side Note: all my personal servers are FreeBSD powered and use only IPFW (built-in software firewall). I have never had a problem with this setup; I also follow the security announcements and have never seen any issues with this firewall software.
At work we have security in layers; the edge firewall filters out all the obvious crap (hardware firewall); internal firewalls filter traffic down for the individual servers or location on the network (mix of mostly software and hardware firewalls).
For complex networks of any kind, security in layers is most appropriate. For simple servers like yours there may be some benefit in having a separate hardware firewall, but fairly little.

Eddie C.
  • 487
  • 1
  • 3
  • 12
Chris S
  • 77,337
  • 11
  • 120
  • 212
  • 14
    +1 - All firewalls are "software firewalls". It's more of a "software firewall with software you control" versus "software firewall that is a sealed black box". Constrain your open ports to the minimum needed for the servers to work, drop obviously bogus traffic, and don't forget egress filtering and you'll be good. – Evan Anderson May 11 '11 at 13:35
  • Yeah I try and keep everything up to date, and I'd probably say I understand security quite well, I was just a bit shocked that my DC company were telling me my protection is useless, I'd always assumed IP tables was good for basic servers and hardware firewalls were good if you were, say, Sony =) – Smudge May 11 '11 at 13:36
  • 6
    +1, IPTables is what many decent firewall systems are built on. Your hosting company is lying through their teeth to try and make some extra cash off you. Dump them for a reputable vendor. – Hyppy May 11 '11 at 14:30
  • 2
    `allow everything from all to all` can just as easily be implemented on the hardware firewall - to similar effect. – CrackerJack9 Jul 11 '14 at 01:39
8

Running a firewall on the protected server itself is less secure than using a separate firewall machine. It does not have to be a "hardware" firewall. Another Linux server set as a router with IPTables would work fine.

The security problem with firewalls on the protected server is that the machine may be attacked through its running services. If the attacker can get root level access, the firewall can be modified or disabled or bypassed through a kernel root-kit.

A separate firewall machine should have no services running except for SSH access and that SSH access should be limited to administration IP ranges. It should be relatively invulnerable to attack, barring bugs in the IPTables implementation or TCP stack, of course.

The firewall machine can block and log network traffic that shouldn't exist, giving you valuable early warning of cracked systems.

Zan Lynx
  • 886
  • 5
  • 13
  • 3
    If the server is rooted, it likely won't matter that the attacker can open other ports, as they already can access anything local. If the attacker can gain root access to the server via ports allowed through the Firewall, it likely doesn't matter what the firewall is blocking.Furthermore, SSH on the server should be restricted just as much as SSH access to the firewall machine. – CrackerJack9 Jul 11 '14 at 01:35
4

If your traffic is low, try a small Cisco ASA unit like the 5505. It's in the $500-$700 range and definitely purpose-built. The co-lo is sorta giving you BS, but their rates for the firewall are also unreasonable.

ewwhite
  • 194,921
  • 91
  • 434
  • 799
4

I think it also depends on performance. What a software/server based firewall does using CPU cycles, a hardware firewall can do with purpose built chips (ASICs) which leads to better performance and throughput.

Robert
  • 231
  • 1
  • 3
  • 1
    Do you have any metrics for that comparison? The server is likely running a more powerful processor and will need to perform TCP related computations, regardless of a hardware firewall being in front of it (think local TCP stack, etc) – CrackerJack9 Jul 11 '14 at 01:38
3

From your perspective the real difference between "software" (on the machine itself) and "hardware" firewalls is that in the first case the traffic is already at the machine you want to protect, so it's potentially more vulnerable if something has been overlooked or misconfigured.

A hardware firewall essentially acts as a pre-filter, which only allows specific traffic to reach and/or exit your server.

Given your use case, and assuming of course that you have proper backups, the extra expense would be very hard to justify. Personally I'd continue with what you have, although perhaps using a different hosting company.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
3

Late to the game on this one. Yes, the service provider has no idea what they are talking about. If you are a competent IPTABLES administrator, I would say that you are more secure than an out-of-the-box hardware firewall. The reason is that when I have used them, the nice gee-whiz interface does not reflect the actual configuration of what traffic is allowed through. The vendors try to dumb it down for us dumb people. I want to know about every possibility of every packet going in and out.

IPTABLES is not for everyone, but if you are serious about security, you want to be as close to the wire as possible. Securing a system is easy - reverse engineering a blackbox firewall is not.

dalel2000
  • 31
  • 1
  • I believe RHEL's iptables default chain is `ACCEPT`, while most hardware firewalls are defaulted to `DROP`. In that respect, out of the box hardware is more secure than out of the box software. Granted, a lot of cloud vendors have modified that default and the installation wizard allows you to specify rules before the installation is complete... – CrackerJack9 Jul 11 '14 at 01:43