Solved

Firewall on the same Linux machine as mail/web server

Posted on 2004-04-12
10
256 Views
Last Modified: 2010-04-22
I need to have a mail server and a web server on a Linux OS. I also need to install a firewall.
Why many experts suggest not to have firewall and web/mail servers on the same physical machine? Why they suggest to have a separate machine only devoted to firewall?
If I install both web/mail services and firewall on the same machine, what kind of risk I have to face to?
Thanks
0
Comment
Question by:huhuxx
10 Comments
 
LVL 9

Accepted Solution

by:
Alf666 earned 25 total points
ID: 10804524
Why people recommend that is because the firewall should not have any service enabled. It should only be a router which "tunnels" packets.

The risk of having any service run on the firewall host is that, if any of these application is "corruptable" (i.e. has any security bug), then, your whole security is possibly compromised.

Take the example of a web server.

1) You use Apache
This is good. It's supposedly bug free.

2) Do you have the knowledge to configure it properly, avoiding any known traps, specific CGI apps ...etc ?

3) Your webmaster will add content to this site. Does he have the knowledge to avoid adding security traps ?

...etc.

If you know exactly what you're doing, then the risk is "limited". But keep in mind that there is no risk free system. It's just a matter of the value of what you want to protect vs. the investment.

0
 
LVL 3

Assisted Solution

by:rfr1tz
rfr1tz earned 25 total points
ID: 10806294
The firewall can have all other apps turned off. But since it allows ports 80/443 through, your web server is still in danger - this can't be helped.

If you took the firewall and turned on JUST the web server, the security would be equal to a web server behind a separate firewall. The problem is if you want to do other things on the web server box besides just firewall and web server. Maybe, use X-windows for example. Then you introduce more vulnerabilities.

Also, you might have a performance problem.
0
 
LVL 12

Expert Comment

by:mburdick
ID: 10819828
A firewall must maintain the highest level of security. Web servers trust anyone to connect.

Seems like an oxymoron to me... And, that's part of the basic premise. A service that doesn't maintain the highest level of security, can potentially be compromised through a flaw n the daemon. If that flaw is exploited in the right manner, full access to the host could be gained. That's pretty much the exact opposite of what you need from your firewall. Hence, the Best Practice to deploy these services on different pieces of hardware.
0
 
LVL 1

Expert Comment

by:ipuschner
ID: 10821729
IMHO a firewall on the server is like letting the enemy army into your fortress and trying to hold them back there: They are already inside, so the damage they CAN do is much higher than letting them stay outside. Of course this isn't a necessarythread , but the risk of a process being hijacked is higher.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Expert Comment

by:alain_tesio
ID: 10859921
For companies having several machines, the real point of a firewall is to prevent an intruder who breaks a machine with public services to crack into the private area which should not be visible to the internet.

It your primary need is just to have a standalone mail and web server, not connected to an internal network, there is no obvious reason why you would need packet filtering.

Once you have removed any service which shouldn't be available to the internet, would a firewall do more than block accesses to ports which are already open ?

A reason to use filtering for example may be to filter the ssh port if you are systematically logging from the same static IP, but a firewall is not systematically needed.

Any useless goodie you add like packet filtering or NIDS can add security holes themselves.
0
 
LVL 2

Expert Comment

by:garak1357
ID: 11985784
The only reason for not having an webserver running on the same system as your mail server is the putting all your eggs in one basket idea.  If you are compromised through a flaw in one, it exposes everything else on the system as well.  The key is too have good firewalling, select secure daemon packages, and to configure all of them properly.

My recommendations are as follows:

For the firewall, start with homeLANsecurity script.  It is easily configurable and very powerful.  You can find this at:

http://www.unixpages.com/hls

Apache is the standard for webservers.  I would still recommend using the 1.3.x versions rather than 2.x.  Last I looked, they were still not recommending 2.x for production enviornments, due to security concerns.

For your e-mail server, I'd recommend Qmail.  It is by far the most secure of mail servers amongst it's very unsecure peers.  A good website that describes all aspects of installation and configuration of Qmail is:

http://www.qmailrocks.com

I hope this helps.
0
 
LVL 12

Expert Comment

by:mburdick
ID: 12371620
It's a 50-point question. Since there were many people posting, and all said about the same thing, why not just PAQ it and forget the points...
0
 
LVL 2

Expert Comment

by:alain_tesio
ID: 12372933
Who cares about the points here, when people still write when the submitted doesn't bother to reply it turns into a discussion forum
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now