Firewall vs No Firewall

Posted on 2005-03-04
Medium Priority
Last Modified: 2013-11-16
I hope someone can clear this up for me. Myself and some colleagues have been discussing the need for a firewall on an external server (the firewall would run on this same server) hosting a few domains running DNS/FTP/Web etc. I think we do, one colleague says that if the server is up to date and configured properly a firewall is not needed. For example he says if we are running mail or web for eg, a firewall wont help attacks tageted at these services. Usually I use iptables to deny everything and open only what is needed, he suggests this is overhead and not neccessary. Is this correct or the done thing? Cee
Question by:ceeweb
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 32

Accepted Solution

LucF earned 400 total points
ID: 13457561
Hi ceeweb,

Security exploids are found every once in a while.
Do you want to wait till a patch comes out, or do you want to actively protect yourself so you might not even wait for the patch and still stay protected?
Although a firewall can't protect you for exploids on opened ports, you'll have a lot less open ports to exploid.

To protect yourself from exploids targeted at one of the open ports, a firewall won't help you, but an intrusion detection system will as it'll investigate traffic even if it passes the firewall.

>>Usually I use iptables to deny everything and open only what is needed, he suggests this is overhead and not neccessary.<<
In this case you're the one doing it right, lock it down as far as you can, then open up what is needed.


LVL 16

Assisted Solution

samccarthy earned 320 total points
ID: 13459283
To Protect or not to Protect????  You can say too that if you are healthy, why get a flu shot?

A firewall is just another layer of protections. As LucF said, you'll have a lot less ports to exploit.  Lets look at it more in depth though.  There are good and bad firewalls.  Even a bad one will usually block the most exploited ports.  The Good ones do more, protecting more.  

If you firewall does Application layer inspection in addition to the Deep Packet inspection most use now a days, that attack to Port 25 of your mail Server or Port 80 of your web server may be stopped at the firewall if the packets don't fall within the norm for those types of packets.  Some attacks hit the ports they are targeted at, buy only an application level inspection will reveal that the packet is not sized correctly or there is some other abnormality.  Good Firewalls can further reduce your exposure to these types of attacks.

Other good firewalls may have a say, Mail AntiVirus Gateway Or AntiSpam engine, thus taking care of those types of threats before the data ever hits the server itself.

Further, good firewalls also prevent outgoing attacks.  With an open system, your web server might be turned into an Email Spammer or FTP server for porn.  These types of firewalls can not only block the incoming connections and protect you there, but they can also block the outgoing.  So, if that FTP or Spam tries to "get out" and infect others or serve purposes you didn't design it for, that firewall can save your butt there.  Not to mention, say if you start spamming without your knowledge and you then make it on some of the Internet Black Lists.  What a pain it is to get off of them.

Even if it only offered a minimum of protection and blocked 1 port, it is worth it when that 1 port attack is the difference between a nice weekend at home and working 48 hours at the office to rebuild your server.
LVL 32

Assisted Solution

harbor235 earned 320 total points
ID: 13459314
Security is a layered approach, you do not depend on any one component or layer to provide security.
A properly updated and configured system helps mitigate security breaches but does not guarentee security.
Having a firewall further reduces the likelyhood of your site being compromised. The question is can you afford not to get a firewall. How important is your sites data? When security is deployed correctly your site is still not 100% secure.
How much time and money will it cost to rebuild everything? How much time will it cost to track/trace if your site is compromised? These are the questions you need to ask yourself. Also, a properly patched/updated system has only fixed
problems/security flaws that we know about, how about the new security flaws not yet identified? You cannot patch those.
Security is implementing best security practices at all layers of your organization to help reduce the likelyhood of a security violation, not to prevent it.  ;}

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 12

Assisted Solution

srikrishnak earned 320 total points
ID: 13464891
Good comments above...Your friends opinion is not 100% correct..Atleast reg firewall..Even when you are allowing the known ports such as port 80,most of the high end firewalls have the capability to check the application layer data..so still you can stop  the unwatned data here..More importantly perimeter security is very much important for web traffic or mail traffic...As harbor235 menioned we may not eliminate the risk but the acceptance of it is important...If your data is worh of few thousand $ thn no need to use a big box of firewall with investment of few thousand $ and for operations purposes few more $ every month...So end of the day its up to the management n data owner to decide which method is really suitable...
With patched system you can stop the known vulnerabilities;but what if some attacker is targetted on ur machine or some dos attack...or even some social engg n the outsiders got the passwords n uid then trying to steal some data from ur machine...??
some firewalling technique comes very handy here...weather its IP tables or some firewall Box...
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 320 total points
ID: 13466917
To make the blanket statement that "..if we are running mail or web for eg, a firewall wont help attacks tageted at these service..." is poor judgement.
If I'm up2date, fully patched, running AV fully updated- and no other hardening is done- then with windows servers, the registry is open, the C$, the Admin$, the IPC$ are all open and ready to let someone in. A firewall is not going to stop an exploit- that is for certain. But it will effectivly block services and port's that need not be visible to EVERYONE. TerminalService for example, is running by default on most win2k and 2003 server. The local Administrator account cannot be locked out, so everyone is free to connect to the TS, and try to guess the local admin pass. After 3 failed attempts the session is disconnected- but the account is not locked out. Using a program like TsGrinder, the task is automated, so that guessing passwords for the local admin are carried out much faster than using the GUI of TS.
He also said "configured properly" so perhaps he means turning off TS, and the remote registry service, and uninstalling NetBios and Client for M$ windows networks. That is good, but not great. A proper firewall is a much better solution, and allows your server interoptibility with the lan it's connected to, that way you can TS to it (internally), and connect to the registry remotely, or administer it with the MMC from another machine on your lan.

Assisted Solution

skpruett earned 320 total points
ID: 13483017
Hi ceeweb,
GREAT comments on this thread. Tell your friend to look at it this way. What is the value of the time you would spend traveling to the site, reloading a box, applying security patches, restoring data, and reapplying changes made since the last backup?

That value is directly related to the need for a firewall or another layer of protection beyond the server itself. If you're running  a corporate website with sensitive data, add as much protection as you can, firewalls, and IDS if possible. If you're running a P2 hosting Jim-Bob's Redneck Blog at the local single room "ISP" that doubles as the town post office, really ... who cares about a firewall.



Author Comment

ID: 13483624
Thanks for all of your input. Good thread indeed =)
LVL 32

Expert Comment

ID: 13483853
Glad to help :)

LVL 16

Expert Comment

ID: 13485467
Good Luck!!

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question