firewalls and webservers request for comments

Dustin Decker dustin.decker at 1on1security.com
Thu Oct 7 18:07:19 CDT 2004 

> -----Original Message-----
> From: kclug-bounces at kclug.org [mailto:kclug-bounces at kclug.org] On Behalf
> Of Brian Densmore
> Sent: Thursday, October 07, 2004 5:45 PM
> To: kclug at kclug.org
> Subject: RE: firewalls and webservers request for comments
> 
> Well, actually I already have iptables running.
> I have only the ports open that need to be open
> and only running the services that are needed.
> I was really looking for what people thought about
> firewalls protecting webservers and such. I mean
> not just iptables but the whole ball of wax, the
> tools for monitoring, etc.
> 
> Ports I use:
> 
> SMTP 25
> WWW ports 80 and 443
> IMAPS port 993
> and the SSH ports

I would say one of the primary benefits of a dedicated firewall is found in
the very clear separation of duties across hosts.  For example, I make use
of IPCop frequently with clients.  If I need a port open for them (which
isn't always the case) then I can forward it.  In those cases where I have a
handful of Windows users, I have the added benefit of using proxy services,
tuned to the satisfaction of management, etc.

My personal favorite is intrusion detection.  In the case of IPCop, I make
use of idabench to log all packets in/out of the network in binary format,
farm it out to my analysis units, and replay through snort.  Any of this
type of activity, if performed on the web server, mail server, or what have
you, adds an unnecessary load to that system.  In addition, with extra
services floating on the box, the odds that I will drop packets increases -
and I only have to miss one to miss the Really Bad Packet(tm).

One other concern I would have is for vulnerable software.  If I have an
apache server behind a firewall, and a new vulnerability is discovered,
exploitation of it doesn't place my firewall at risk, where as root access
gained through [insert hack of the week here] quickly gains the ability to
disable iptables entirely.  I guess this is one of those rare instances in
which I don't entirely agree with Frank.  (Oh, and my hang up on "bastion
hosts".)
 
Just for fun, while looking at the ports you have listed above, I wonder if
you even need port 993 open.  You mentioned in a previous post that you use
webmail.  If this is the _only_ method you use to check your mail, 993
needn't be open.  That's only required if you have a mail client that
fetches mail that way.  (Squirrelmail, for example, can connect on loopback
[127.0.0.1] to reach the mail server.)

My $.02 on this thread.

Dustin Decker

More information about the Kclug mailing list