Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 333
  • Last Modified:

Firewall vs No Firewall

I hope someone can clear this up for me. Myself and some colleagues have been discussing the need for a firewall on an external server (the firewall would run on this same server) hosting a few domains running DNS/FTP/Web etc. I think we do, one colleague says that if the server is up to date and configured properly a firewall is not needed. For example he says if we are running mail or web for eg, a firewall wont help attacks tageted at these services. Usually I use iptables to deny everything and open only what is needed, he suggests this is overhead and not neccessary. Is this correct or the done thing? Cee
6 Solutions
Hi ceeweb,

Security exploids are found every once in a while.
Do you want to wait till a patch comes out, or do you want to actively protect yourself so you might not even wait for the patch and still stay protected?
Although a firewall can't protect you for exploids on opened ports, you'll have a lot less open ports to exploid.

To protect yourself from exploids targeted at one of the open ports, a firewall won't help you, but an intrusion detection system will as it'll investigate traffic even if it passes the firewall.

>>Usually I use iptables to deny everything and open only what is needed, he suggests this is overhead and not neccessary.<<
In this case you're the one doing it right, lock it down as far as you can, then open up what is needed.


Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
To Protect or not to Protect????  You can say too that if you are healthy, why get a flu shot?

A firewall is just another layer of protections. As LucF said, you'll have a lot less ports to exploit.  Lets look at it more in depth though.  There are good and bad firewalls.  Even a bad one will usually block the most exploited ports.  The Good ones do more, protecting more.  

If you firewall does Application layer inspection in addition to the Deep Packet inspection most use now a days, that attack to Port 25 of your mail Server or Port 80 of your web server may be stopped at the firewall if the packets don't fall within the norm for those types of packets.  Some attacks hit the ports they are targeted at, buy only an application level inspection will reveal that the packet is not sized correctly or there is some other abnormality.  Good Firewalls can further reduce your exposure to these types of attacks.

Other good firewalls may have a say, Mail AntiVirus Gateway Or AntiSpam engine, thus taking care of those types of threats before the data ever hits the server itself.

Further, good firewalls also prevent outgoing attacks.  With an open system, your web server might be turned into an Email Spammer or FTP server for porn.  These types of firewalls can not only block the incoming connections and protect you there, but they can also block the outgoing.  So, if that FTP or Spam tries to "get out" and infect others or serve purposes you didn't design it for, that firewall can save your butt there.  Not to mention, say if you start spamming without your knowledge and you then make it on some of the Internet Black Lists.  What a pain it is to get off of them.

Even if it only offered a minimum of protection and blocked 1 port, it is worth it when that 1 port attack is the difference between a nice weekend at home and working 48 hours at the office to rebuild your server.
Security is a layered approach, you do not depend on any one component or layer to provide security.
A properly updated and configured system helps mitigate security breaches but does not guarentee security.
Having a firewall further reduces the likelyhood of your site being compromised. The question is can you afford not to get a firewall. How important is your sites data? When security is deployed correctly your site is still not 100% secure.
How much time and money will it cost to rebuild everything? How much time will it cost to track/trace if your site is compromised? These are the questions you need to ask yourself. Also, a properly patched/updated system has only fixed
problems/security flaws that we know about, how about the new security flaws not yet identified? You cannot patch those.
Security is implementing best security practices at all layers of your organization to help reduce the likelyhood of a security violation, not to prevent it.  ;}

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Good comments above...Your friends opinion is not 100% correct..Atleast reg firewall..Even when you are allowing the known ports such as port 80,most of the high end firewalls have the capability to check the application layer data..so still you can stop  the unwatned data here..More importantly perimeter security is very much important for web traffic or mail traffic...As harbor235 menioned we may not eliminate the risk but the acceptance of it is important...If your data is worh of few thousand $ thn no need to use a big box of firewall with investment of few thousand $ and for operations purposes few more $ every month...So end of the day its up to the management n data owner to decide which method is really suitable...
With patched system you can stop the known vulnerabilities;but what if some attacker is targetted on ur machine or some dos attack...or even some social engg n the outsiders got the passwords n uid then trying to steal some data from ur machine...??
some firewalling technique comes very handy here...weather its IP tables or some firewall Box...
Rich RumbleSecurity SamuraiCommented:
To make the blanket statement that "..if we are running mail or web for eg, a firewall wont help attacks tageted at these service..." is poor judgement.
If I'm up2date, fully patched, running AV fully updated- and no other hardening is done- then with windows servers, the registry is open, the C$, the Admin$, the IPC$ are all open and ready to let someone in. A firewall is not going to stop an exploit- that is for certain. But it will effectivly block services and port's that need not be visible to EVERYONE. TerminalService for example, is running by default on most win2k and 2003 server. The local Administrator account cannot be locked out, so everyone is free to connect to the TS, and try to guess the local admin pass. After 3 failed attempts the session is disconnected- but the account is not locked out. Using a program like TsGrinder, the task is automated, so that guessing passwords for the local admin are carried out much faster than using the GUI of TS.
He also said "configured properly" so perhaps he means turning off TS, and the remote registry service, and uninstalling NetBios and Client for M$ windows networks. That is good, but not great. A proper firewall is a much better solution, and allows your server interoptibility with the lan it's connected to, that way you can TS to it (internally), and connect to the registry remotely, or administer it with the MMC from another machine on your lan.
Hi ceeweb,
GREAT comments on this thread. Tell your friend to look at it this way. What is the value of the time you would spend traveling to the site, reloading a box, applying security patches, restoring data, and reapplying changes made since the last backup?

That value is directly related to the need for a firewall or another layer of protection beyond the server itself. If you're running  a corporate website with sensitive data, add as much protection as you can, firewalls, and IDS if possible. If you're running a P2 hosting Jim-Bob's Redneck Blog at the local single room "ISP" that doubles as the town post office, really ... who cares about a firewall.


ceewebAuthor Commented:
Thanks for all of your input. Good thread indeed =)
Glad to help :)

Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Good Luck!!

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now