Wow. I felt too crappy last night to respond to this one, but I have to say, Dustin said most of what I intended to say. A definite separation of firewall and webserver is needed *IF* you are careful about security. As Dustin said, if an Apache vulnerability is found and someone cracks your webserver, as has already happened to you once, then you only need to rebuild your webserver. When running an enterprise you normally build separate boxes for each service available, for this reason, as well as for distributing load until you start needing clustering or load balancing of some sort.
Read what the IPCop site has to say about adding services to your firewall and you may change your mind. http://www.ipcop.org/1.4.0/en/install/html/overview.html The docs that came with IPCop 1.3.0 has an even scarier message, "Here there be dragons...". Also, if your webserver is running on your home network, like mine is, you eventually want the externally available servers in a DMZ to protect your other home machines. I've been very happy with my IPCop 1.3 box and will soon upgrade to 1.4.0, but for now I'm too busy. 1.4.0 has a cool wireless DMZ added on, the Blue interface. I recently bought a PCI wireless card that will be tried out in this mode.
Dustin, as always, your $.02 is well appreciated. Nice post.
Brian Kelsay
"Dustin Decker" <> 10/07/04 06:07PM >>>
-----Original Message----- From: On Behalf Of Brian Densmore
Well, actually I already have iptables running. I have only the ports open that need to be open and only running the services that are needed. I was really looking for what people thought about firewalls protecting webservers and such. I mean not just iptables but the whole ball of wax, the tools for monitoring, etc.
Ports I use:
SMTP 25 WWW ports 80 and 443 IMAPS port 993 and the SSH ports
I would say one of the primary benefits of a dedicated firewall is found in the very clear separation of duties across hosts. For example, I make use of IPCop frequently with clients. If I need a port open for them (which isn't always the case) then I can forward it. In those cases where I have a handful of Windows users, I have the added benefit of using proxy services, tuned to the satisfaction of management, etc.
My personal favorite is intrusion detection. In the case of IPCop, I make use of idabench to log all packets in/out of the network in binary format, farm it out to my analysis units, and replay through snort. Any of this type of activity, if performed on the web server, mail server, or what have you, adds an unnecessary load to that system. In addition, with extra services floating on the box, the odds that I will drop packets increases - and I only have to miss one to miss the Really Bad Packet(tm).
One other concern I would have is for vulnerable software. If I have an apache server behind a firewall, and a new vulnerability is discovered, exploitation of it doesn't place my firewall at risk, where as root access gained through [insert hack of the week here] quickly gains the ability to disable iptables entirely. I guess this is one of those rare instances in which I don't entirely agree with Frank. (Oh, and my hang up on "bastion hosts".)
Just for fun, while looking at the ports you have listed above, I wonder if you even need port 993 open. You mentioned in a previous post that you use webmail. If this is the _only_ method you use to check your mail, 993 needn't be open. That's only required if you have a mail client that fetches mail that way. (Squirrelmail, for example, can connect on loopback [127.0.0.1] to reach the mail server.)
My $.02 on this thread.
One of the points in having the webserver behind and seperate from the firewall is that even if you were to compromise the security of the webserver, you would still be restricted in what you could do with it because of the firewall. Some clever tunneling using the web protocols would give you a pretty free hand, but your traffic would still be limited.
-
Brian Kelsay -
Jonathan Hutchins