huhuxx
asked on
Firewall on the same Linux machine as mail/web server
I need to have a mail server and a web server on a Linux OS. I also need to install a firewall.
Why many experts suggest not to have firewall and web/mail servers on the same physical machine? Why they suggest to have a separate machine only devoted to firewall?
If I install both web/mail services and firewall on the same machine, what kind of risk I have to face to?
Thanks
Why many experts suggest not to have firewall and web/mail servers on the same physical machine? Why they suggest to have a separate machine only devoted to firewall?
If I install both web/mail services and firewall on the same machine, what kind of risk I have to face to?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
IMHO a firewall on the server is like letting the enemy army into your fortress and trying to hold them back there: They are already inside, so the damage they CAN do is much higher than letting them stay outside. Of course this isn't a necessarythread , but the risk of a process being hijacked is higher.
For companies having several machines, the real point of a firewall is to prevent an intruder who breaks a machine with public services to crack into the private area which should not be visible to the internet.
It your primary need is just to have a standalone mail and web server, not connected to an internal network, there is no obvious reason why you would need packet filtering.
Once you have removed any service which shouldn't be available to the internet, would a firewall do more than block accesses to ports which are already open ?
A reason to use filtering for example may be to filter the ssh port if you are systematically logging from the same static IP, but a firewall is not systematically needed.
Any useless goodie you add like packet filtering or NIDS can add security holes themselves.
It your primary need is just to have a standalone mail and web server, not connected to an internal network, there is no obvious reason why you would need packet filtering.
Once you have removed any service which shouldn't be available to the internet, would a firewall do more than block accesses to ports which are already open ?
A reason to use filtering for example may be to filter the ssh port if you are systematically logging from the same static IP, but a firewall is not systematically needed.
Any useless goodie you add like packet filtering or NIDS can add security holes themselves.
The only reason for not having an webserver running on the same system as your mail server is the putting all your eggs in one basket idea. If you are compromised through a flaw in one, it exposes everything else on the system as well. The key is too have good firewalling, select secure daemon packages, and to configure all of them properly.
My recommendations are as follows:
For the firewall, start with homeLANsecurity script. It is easily configurable and very powerful. You can find this at:
http://www.unixpages.com/hls
Apache is the standard for webservers. I would still recommend using the 1.3.x versions rather than 2.x. Last I looked, they were still not recommending 2.x for production enviornments, due to security concerns.
For your e-mail server, I'd recommend Qmail. It is by far the most secure of mail servers amongst it's very unsecure peers. A good website that describes all aspects of installation and configuration of Qmail is:
http://www.qmailrocks.com
I hope this helps.
My recommendations are as follows:
For the firewall, start with homeLANsecurity script. It is easily configurable and very powerful. You can find this at:
http://www.unixpages.com/hls
Apache is the standard for webservers. I would still recommend using the 1.3.x versions rather than 2.x. Last I looked, they were still not recommending 2.x for production enviornments, due to security concerns.
For your e-mail server, I'd recommend Qmail. It is by far the most secure of mail servers amongst it's very unsecure peers. A good website that describes all aspects of installation and configuration of Qmail is:
http://www.qmailrocks.com
I hope this helps.
It's a 50-point question. Since there were many people posting, and all said about the same thing, why not just PAQ it and forget the points...
Who cares about the points here, when people still write when the submitted doesn't bother to reply it turns into a discussion forum
Seems like an oxymoron to me... And, that's part of the basic premise. A service that doesn't maintain the highest level of security, can potentially be compromised through a flaw n the daemon. If that flaw is exploited in the right manner, full access to the host could be gained. That's pretty much the exact opposite of what you need from your firewall. Hence, the Best Practice to deploy these services on different pieces of hardware.