Well, actually I already have iptables running. I have only the ports open that need to be open and only running the services that are needed. I was really looking for what people thought about firewalls protecting webservers and such. I mean not just iptables but the whole ball of wax, the tools for monitoring, etc.
Ports I use:
SMTP 25 WWW ports 80 and 443 IMAPS port 993 and the SSH ports
-----Original Message----- From: Frank Wiles
On Thu, 7 Oct 2004 17:05:45 -0500 "aaron hirsch"
Why tell anyone here are the ports you will need to have
open when all
... http/https. Why open the door further than it needs to be?
I wasn't trying to give him advice on how to run his E-mail setup.
The listing of the ports was just an example to help illustrate why running a firewall in front of an E-mail server is typically pointless.
I apologize if that wasn't clear.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Brian Densmore Sent: Thursday, October 07, 2004 5:45 PM To: [email protected] Subject: RE: firewalls and webservers request for comments
Well, actually I already have iptables running. I have only the ports open that need to be open and only running the services that are needed. I was really looking for what people thought about firewalls protecting webservers and such. I mean not just iptables but the whole ball of wax, the tools for monitoring, etc.
Ports I use:
SMTP 25 WWW ports 80 and 443 IMAPS port 993 and the SSH ports
I would say one of the primary benefits of a dedicated firewall is found in the very clear separation of duties across hosts. For example, I make use of IPCop frequently with clients. If I need a port open for them (which isn't always the case) then I can forward it. In those cases where I have a handful of Windows users, I have the added benefit of using proxy services, tuned to the satisfaction of management, etc.
My personal favorite is intrusion detection. In the case of IPCop, I make use of idabench to log all packets in/out of the network in binary format, farm it out to my analysis units, and replay through snort. Any of this type of activity, if performed on the web server, mail server, or what have you, adds an unnecessary load to that system. In addition, with extra services floating on the box, the odds that I will drop packets increases - and I only have to miss one to miss the Really Bad Packet(tm).
One other concern I would have is for vulnerable software. If I have an apache server behind a firewall, and a new vulnerability is discovered, exploitation of it doesn't place my firewall at risk, where as root access gained through [insert hack of the week here] quickly gains the ability to disable iptables entirely. I guess this is one of those rare instances in which I don't entirely agree with Frank. (Oh, and my hang up on "bastion hosts".)
Just for fun, while looking at the ports you have listed above, I wonder if you even need port 993 open. You mentioned in a previous post that you use webmail. If this is the _only_ method you use to check your mail, 993 needn't be open. That's only required if you have a mail client that fetches mail that way. (Squirrelmail, for example, can connect on loopback [127.0.0.1] to reach the mail server.)
My $.02 on this thread.
Dustin Decker
On Thu, 7 Oct 2004 18:07:19 -0500 "Dustin Decker" [email protected] wrote:
One other concern I would have is for vulnerable software. If I have an apache server behind a firewall, and a new vulnerability is discovered, exploitation of it doesn't place my firewall at risk, where as root access gained through [insert hack of the week here] quickly gains the ability to disable iptables entirely. I guess this is one of those rare instances in which I don't entirely agree with Frank. (Oh, and my hang up on "bastion hosts".)
Yup this is spot where we disagree. :)
I can see why you wouldn't want someone to compromise your firewall, but this is of little concern if they have compromised a server behind it.
If I can gain root access to the server running Apache behind the firewall... what excatly is the firewall doing for you then? I've got full access to your "protected" network now...
I will admit you can limit the hosts the webserver can access, etc. but most people setup a firewall as a line in the sand and don't do security like an onion. Break through one layer... several more layers to go.
This is why I prefer using something like iptables. If they can compromise the machine... well that's all they can do. Of course they can turn off iptables and compromise the machine further, but they don't have any special access to the other servers which should keep them out of the others.
--------------------------------- Frank Wiles [email protected] http://www.wiles.org ---------------------------------
-
Brian Densmore -
Dustin Decker -
Frank Wiles