Solved

Firewall on the same Linux machine as mail/web server

Posted on 2004-04-12
10
274 Views
Last Modified: 2010-04-22
I need to have a mail server and a web server on a Linux OS. I also need to install a firewall.
Why many experts suggest not to have firewall and web/mail servers on the same physical machine? Why they suggest to have a separate machine only devoted to firewall?
If I install both web/mail services and firewall on the same machine, what kind of risk I have to face to?
Thanks
0
Comment
Question by:huhuxx
10 Comments
 
LVL 9

Accepted Solution

by:
Alf666 earned 25 total points
ID: 10804524
Why people recommend that is because the firewall should not have any service enabled. It should only be a router which "tunnels" packets.

The risk of having any service run on the firewall host is that, if any of these application is "corruptable" (i.e. has any security bug), then, your whole security is possibly compromised.

Take the example of a web server.

1) You use Apache
This is good. It's supposedly bug free.

2) Do you have the knowledge to configure it properly, avoiding any known traps, specific CGI apps ...etc ?

3) Your webmaster will add content to this site. Does he have the knowledge to avoid adding security traps ?

...etc.

If you know exactly what you're doing, then the risk is "limited". But keep in mind that there is no risk free system. It's just a matter of the value of what you want to protect vs. the investment.

0
 
LVL 3

Assisted Solution

by:rfr1tz
rfr1tz earned 25 total points
ID: 10806294
The firewall can have all other apps turned off. But since it allows ports 80/443 through, your web server is still in danger - this can't be helped.

If you took the firewall and turned on JUST the web server, the security would be equal to a web server behind a separate firewall. The problem is if you want to do other things on the web server box besides just firewall and web server. Maybe, use X-windows for example. Then you introduce more vulnerabilities.

Also, you might have a performance problem.
0
 
LVL 12

Expert Comment

by:mburdick
ID: 10819828
A firewall must maintain the highest level of security. Web servers trust anyone to connect.

Seems like an oxymoron to me... And, that's part of the basic premise. A service that doesn't maintain the highest level of security, can potentially be compromised through a flaw n the daemon. If that flaw is exploited in the right manner, full access to the host could be gained. That's pretty much the exact opposite of what you need from your firewall. Hence, the Best Practice to deploy these services on different pieces of hardware.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 1

Expert Comment

by:ipuschner
ID: 10821729
IMHO a firewall on the server is like letting the enemy army into your fortress and trying to hold them back there: They are already inside, so the damage they CAN do is much higher than letting them stay outside. Of course this isn't a necessarythread , but the risk of a process being hijacked is higher.
0
 
LVL 2

Expert Comment

by:alain_tesio
ID: 10859921
For companies having several machines, the real point of a firewall is to prevent an intruder who breaks a machine with public services to crack into the private area which should not be visible to the internet.

It your primary need is just to have a standalone mail and web server, not connected to an internal network, there is no obvious reason why you would need packet filtering.

Once you have removed any service which shouldn't be available to the internet, would a firewall do more than block accesses to ports which are already open ?

A reason to use filtering for example may be to filter the ssh port if you are systematically logging from the same static IP, but a firewall is not systematically needed.

Any useless goodie you add like packet filtering or NIDS can add security holes themselves.
0
 
LVL 2

Expert Comment

by:garak1357
ID: 11985784
The only reason for not having an webserver running on the same system as your mail server is the putting all your eggs in one basket idea.  If you are compromised through a flaw in one, it exposes everything else on the system as well.  The key is too have good firewalling, select secure daemon packages, and to configure all of them properly.

My recommendations are as follows:

For the firewall, start with homeLANsecurity script.  It is easily configurable and very powerful.  You can find this at:

http://www.unixpages.com/hls

Apache is the standard for webservers.  I would still recommend using the 1.3.x versions rather than 2.x.  Last I looked, they were still not recommending 2.x for production enviornments, due to security concerns.

For your e-mail server, I'd recommend Qmail.  It is by far the most secure of mail servers amongst it's very unsecure peers.  A good website that describes all aspects of installation and configuration of Qmail is:

http://www.qmailrocks.com

I hope this helps.
0
 
LVL 12

Expert Comment

by:mburdick
ID: 12371620
It's a 50-point question. Since there were many people posting, and all said about the same thing, why not just PAQ it and forget the points...
0
 
LVL 2

Expert Comment

by:alain_tesio
ID: 12372933
Who cares about the points here, when people still write when the submitted doesn't bother to reply it turns into a discussion forum
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question