We help IT Professionals succeed at work.

Firewall on the same Linux machine as mail/web server

huhuxx
huhuxx asked
on
336 Views
Last Modified: 2010-04-22
I need to have a mail server and a web server on a Linux OS. I also need to install a firewall.
Why many experts suggest not to have firewall and web/mail servers on the same physical machine? Why they suggest to have a separate machine only devoted to firewall?
If I install both web/mail services and firewall on the same machine, what kind of risk I have to face to?
Thanks
Comment
Watch Question

Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
MarkLead Sales Engineer - Public Sector
CERTIFIED EXPERT

Commented:
A firewall must maintain the highest level of security. Web servers trust anyone to connect.

Seems like an oxymoron to me... And, that's part of the basic premise. A service that doesn't maintain the highest level of security, can potentially be compromised through a flaw n the daemon. If that flaw is exploited in the right manner, full access to the host could be gained. That's pretty much the exact opposite of what you need from your firewall. Hence, the Best Practice to deploy these services on different pieces of hardware.
IMHO a firewall on the server is like letting the enemy army into your fortress and trying to hold them back there: They are already inside, so the damage they CAN do is much higher than letting them stay outside. Of course this isn't a necessarythread , but the risk of a process being hijacked is higher.
For companies having several machines, the real point of a firewall is to prevent an intruder who breaks a machine with public services to crack into the private area which should not be visible to the internet.

It your primary need is just to have a standalone mail and web server, not connected to an internal network, there is no obvious reason why you would need packet filtering.

Once you have removed any service which shouldn't be available to the internet, would a firewall do more than block accesses to ports which are already open ?

A reason to use filtering for example may be to filter the ssh port if you are systematically logging from the same static IP, but a firewall is not systematically needed.

Any useless goodie you add like packet filtering or NIDS can add security holes themselves.
The only reason for not having an webserver running on the same system as your mail server is the putting all your eggs in one basket idea.  If you are compromised through a flaw in one, it exposes everything else on the system as well.  The key is too have good firewalling, select secure daemon packages, and to configure all of them properly.

My recommendations are as follows:

For the firewall, start with homeLANsecurity script.  It is easily configurable and very powerful.  You can find this at:

http://www.unixpages.com/hls

Apache is the standard for webservers.  I would still recommend using the 1.3.x versions rather than 2.x.  Last I looked, they were still not recommending 2.x for production enviornments, due to security concerns.

For your e-mail server, I'd recommend Qmail.  It is by far the most secure of mail servers amongst it's very unsecure peers.  A good website that describes all aspects of installation and configuration of Qmail is:

http://www.qmailrocks.com

I hope this helps.
MarkLead Sales Engineer - Public Sector
CERTIFIED EXPERT

Commented:
It's a 50-point question. Since there were many people posting, and all said about the same thing, why not just PAQ it and forget the points...
Who cares about the points here, when people still write when the submitted doesn't bother to reply it turns into a discussion forum
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.