Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 314
  • Last Modified:

Firewall on the same Linux machine as mail/web server

I need to have a mail server and a web server on a Linux OS. I also need to install a firewall.
Why many experts suggest not to have firewall and web/mail servers on the same physical machine? Why they suggest to have a separate machine only devoted to firewall?
If I install both web/mail services and firewall on the same machine, what kind of risk I have to face to?
Thanks
0
huhuxx
Asked:
huhuxx
2 Solutions
 
Alf666Commented:
Why people recommend that is because the firewall should not have any service enabled. It should only be a router which "tunnels" packets.

The risk of having any service run on the firewall host is that, if any of these application is "corruptable" (i.e. has any security bug), then, your whole security is possibly compromised.

Take the example of a web server.

1) You use Apache
This is good. It's supposedly bug free.

2) Do you have the knowledge to configure it properly, avoiding any known traps, specific CGI apps ...etc ?

3) Your webmaster will add content to this site. Does he have the knowledge to avoid adding security traps ?

...etc.

If you know exactly what you're doing, then the risk is "limited". But keep in mind that there is no risk free system. It's just a matter of the value of what you want to protect vs. the investment.

0
 
rfr1tzCommented:
The firewall can have all other apps turned off. But since it allows ports 80/443 through, your web server is still in danger - this can't be helped.

If you took the firewall and turned on JUST the web server, the security would be equal to a web server behind a separate firewall. The problem is if you want to do other things on the web server box besides just firewall and web server. Maybe, use X-windows for example. Then you introduce more vulnerabilities.

Also, you might have a performance problem.
0
 
mburdickCommented:
A firewall must maintain the highest level of security. Web servers trust anyone to connect.

Seems like an oxymoron to me... And, that's part of the basic premise. A service that doesn't maintain the highest level of security, can potentially be compromised through a flaw n the daemon. If that flaw is exploited in the right manner, full access to the host could be gained. That's pretty much the exact opposite of what you need from your firewall. Hence, the Best Practice to deploy these services on different pieces of hardware.
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
ipuschnerCommented:
IMHO a firewall on the server is like letting the enemy army into your fortress and trying to hold them back there: They are already inside, so the damage they CAN do is much higher than letting them stay outside. Of course this isn't a necessarythread , but the risk of a process being hijacked is higher.
0
 
alain_tesioCommented:
For companies having several machines, the real point of a firewall is to prevent an intruder who breaks a machine with public services to crack into the private area which should not be visible to the internet.

It your primary need is just to have a standalone mail and web server, not connected to an internal network, there is no obvious reason why you would need packet filtering.

Once you have removed any service which shouldn't be available to the internet, would a firewall do more than block accesses to ports which are already open ?

A reason to use filtering for example may be to filter the ssh port if you are systematically logging from the same static IP, but a firewall is not systematically needed.

Any useless goodie you add like packet filtering or NIDS can add security holes themselves.
0
 
garak1357Commented:
The only reason for not having an webserver running on the same system as your mail server is the putting all your eggs in one basket idea.  If you are compromised through a flaw in one, it exposes everything else on the system as well.  The key is too have good firewalling, select secure daemon packages, and to configure all of them properly.

My recommendations are as follows:

For the firewall, start with homeLANsecurity script.  It is easily configurable and very powerful.  You can find this at:

http://www.unixpages.com/hls

Apache is the standard for webservers.  I would still recommend using the 1.3.x versions rather than 2.x.  Last I looked, they were still not recommending 2.x for production enviornments, due to security concerns.

For your e-mail server, I'd recommend Qmail.  It is by far the most secure of mail servers amongst it's very unsecure peers.  A good website that describes all aspects of installation and configuration of Qmail is:

http://www.qmailrocks.com

I hope this helps.
0
 
mburdickCommented:
It's a 50-point question. Since there were many people posting, and all said about the same thing, why not just PAQ it and forget the points...
0
 
alain_tesioCommented:
Who cares about the points here, when people still write when the submitted doesn't bother to reply it turns into a discussion forum
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now