Solved

Linux Firewall

Posted on 2013-05-15
6
392 Views
Last Modified: 2016-11-23
Hi,
I am setting up a new web server that I rent remotely. It will run Lunux CentOS 64bit
Before I had a managed server with a managed Cisco pix firewall which was easy to use through their web interface.
Well, now I have 2 options which is to use a Dell SonicWall 215 or choose some software firewall. I do not have much experience on Software based firewalls and wonder if I could solicit for some advice from people that are experts on this area.

My questions are basically if it is really worth the considerable additional monthly costs for a hardware firewall and if there is a software firewall (preferably open source) that would do the same job reliable and securely. I do not have a complicated set-up as there are only a handful of users allowed to FTP to the machine and basically 2 users that can login using SSH and switch to root. Then of course the general public that visits websites and fetches/sends mail.

I will have a giga bit network but the Dell firewall is certified for 500 mbit, will this mean will it be an actual bottleneck? Also does a software based firewall have any performance issues.
What would be your recommendations, if the general opinion is that software firewalls are not secure and would open my door to attacks then I would have to cough up the extra monthly money but if there are software firewalls that are secure then of course I could save considerable.
If a software firewall then are there any recommendations?

I like to mention that I have 12 public IP addresses that need to managed and that it is a single server set-up. I do not have the budget to add a second server dedicated to a firewall. Seems that most software firewalls do not support multiple public IP's?

Best wishes,
tom
0
Comment
Question by:Thomanji
  • 2
  • 2
  • 2
6 Comments
 
LVL 29

Accepted Solution

by:
serialband earned 350 total points
ID: 39170423
The Dell hardware Firewall will likely be a bottleneck if you're running on a 1 GBit network.  I've seen hardware firewalls get overwhelmed and basically throttling the network when you try to go above capacity.

I've run several systems using the default software iptables firewall on Linux.  It's robust enough to handle most of the work.  It does handle multiple IPs.  I'm currnetly running a dual homed system on two physical interfaces.  There's also ip6tables for IPv6 on both interfaces.  I'm running Apache and two separate FTP servers and SSH and SFTP on separate ports.  It's a multi-core multi-CPU unit and the main bottleneck is the disk.  It really depends on how much traffic you expect.

Even with a hardware firewall in place, I would still enable iptables to block any traffic from rogue systems on the LAN, in case one of my other servers got compromised.

If you only have 2 users that need ssh, it would be prudent to change the ssh port to keep the script kiddie brute force attacks down.  It will help keep the log files smaller.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39171348
Typically when using a software firewall it is installed on a separate system, and not the one you are seeking to protect. If you put it on the same system, and the firewall is compromised, then so is the application you are trying to protect.

Note that the TZ215 DOES have gigabit interfaces. Don't know how much you are expected to pay for the TZ215 usage, but you can buy one with one year of CSS subscription for about $930. Sonicwalls have a web based interface, and are fairly simple to manage.
0
 
LVL 29

Expert Comment

by:serialband
ID: 39172106
If you're going to put your software firewall on another system, you may as well buy the sonic wall hardware.  It all depends on how much money versus how much extra security you need.

The software firewall is quite easy to set up and is robust enough for the majority of attacks, so you might as well enable it locally too.  If you don't enable the software firewall, and the hardware firewall is compromised, your entire network is compromised.  You really should have both.  If you don't have the money, then you do the best you can with the software firewall and making sure you patch all the vulnerabilities that you can.
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 

Author Comment

by:Thomanji
ID: 39173509
Thank you both for the comments, I would surly not go with the Dell firewall but I have no other option. This is the only Firewall the ISP where I get the Dedicated server from offers. I can not have it locally because I live in Asia and most customers are in USA so I need to have it remotely. So buying one is unfortunately not an option. They charge $69 a months for this. It did also worry me that it has a 500mbi throughput and I have a 1GB uplink. So it is a bottleneck. This was also one reason on my thoughts of using a Software firewall instead.
Its a hard decision since I do not want to compromise the system, I can not afford 2 systems so the choice is only Software Firewall or Dell SonicWall.
By the way, there is another option for this dell firewall for $128 a months and the only difference is that it is Passive/Active, any idea what this means and is it worth to pay double?
0
 
LVL 20

Assisted Solution

by:carlmd
carlmd earned 150 total points
ID: 39174212
Typically Passive/Active refers to a pair of firewalls where one is an HA backup to the other. That is probably what they are offering, since the price is double.

I would not recommend that you pay for that since this is a hosted service, and if "your" firewall was to die, they would be responsible to quickly replace it.

I would make sure that the Sonicwall being offered for that price includes at a minimum the subscriptions to GAV (Gateway AntiVirus), IP (Intrusion Protection), and Application Firewall.

I assume this Sonicwall would be dedicated to just you, for that price it should be, and you will be doing the administration. You will want access to do the admin so you can make changes and view logs as needed.
0
 

Author Closing Comment

by:Thomanji
ID: 39176524
Thank you both for giving me some advice. I decided to go with the hardware firewall but will setup a software firewall too.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows cannot verify the digital signature for this file 3 55
VLAN Question 13 44
VLAN Question 7 32
Palo Alto site-to-site vpn monitoring 5 21
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question