Solved

Linux Firewall

Posted on 2013-05-15
6
388 Views
Last Modified: 2016-11-23
Hi,
I am setting up a new web server that I rent remotely. It will run Lunux CentOS 64bit
Before I had a managed server with a managed Cisco pix firewall which was easy to use through their web interface.
Well, now I have 2 options which is to use a Dell SonicWall 215 or choose some software firewall. I do not have much experience on Software based firewalls and wonder if I could solicit for some advice from people that are experts on this area.

My questions are basically if it is really worth the considerable additional monthly costs for a hardware firewall and if there is a software firewall (preferably open source) that would do the same job reliable and securely. I do not have a complicated set-up as there are only a handful of users allowed to FTP to the machine and basically 2 users that can login using SSH and switch to root. Then of course the general public that visits websites and fetches/sends mail.

I will have a giga bit network but the Dell firewall is certified for 500 mbit, will this mean will it be an actual bottleneck? Also does a software based firewall have any performance issues.
What would be your recommendations, if the general opinion is that software firewalls are not secure and would open my door to attacks then I would have to cough up the extra monthly money but if there are software firewalls that are secure then of course I could save considerable.
If a software firewall then are there any recommendations?

I like to mention that I have 12 public IP addresses that need to managed and that it is a single server set-up. I do not have the budget to add a second server dedicated to a firewall. Seems that most software firewalls do not support multiple public IP's?

Best wishes,
tom
0
Comment
Question by:Thomanji
  • 2
  • 2
  • 2
6 Comments
 
LVL 27

Accepted Solution

by:
serialband earned 350 total points
ID: 39170423
The Dell hardware Firewall will likely be a bottleneck if you're running on a 1 GBit network.  I've seen hardware firewalls get overwhelmed and basically throttling the network when you try to go above capacity.

I've run several systems using the default software iptables firewall on Linux.  It's robust enough to handle most of the work.  It does handle multiple IPs.  I'm currnetly running a dual homed system on two physical interfaces.  There's also ip6tables for IPv6 on both interfaces.  I'm running Apache and two separate FTP servers and SSH and SFTP on separate ports.  It's a multi-core multi-CPU unit and the main bottleneck is the disk.  It really depends on how much traffic you expect.

Even with a hardware firewall in place, I would still enable iptables to block any traffic from rogue systems on the LAN, in case one of my other servers got compromised.

If you only have 2 users that need ssh, it would be prudent to change the ssh port to keep the script kiddie brute force attacks down.  It will help keep the log files smaller.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39171348
Typically when using a software firewall it is installed on a separate system, and not the one you are seeking to protect. If you put it on the same system, and the firewall is compromised, then so is the application you are trying to protect.

Note that the TZ215 DOES have gigabit interfaces. Don't know how much you are expected to pay for the TZ215 usage, but you can buy one with one year of CSS subscription for about $930. Sonicwalls have a web based interface, and are fairly simple to manage.
0
 
LVL 27

Expert Comment

by:serialband
ID: 39172106
If you're going to put your software firewall on another system, you may as well buy the sonic wall hardware.  It all depends on how much money versus how much extra security you need.

The software firewall is quite easy to set up and is robust enough for the majority of attacks, so you might as well enable it locally too.  If you don't enable the software firewall, and the hardware firewall is compromised, your entire network is compromised.  You really should have both.  If you don't have the money, then you do the best you can with the software firewall and making sure you patch all the vulnerabilities that you can.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Thomanji
ID: 39173509
Thank you both for the comments, I would surly not go with the Dell firewall but I have no other option. This is the only Firewall the ISP where I get the Dedicated server from offers. I can not have it locally because I live in Asia and most customers are in USA so I need to have it remotely. So buying one is unfortunately not an option. They charge $69 a months for this. It did also worry me that it has a 500mbi throughput and I have a 1GB uplink. So it is a bottleneck. This was also one reason on my thoughts of using a Software firewall instead.
Its a hard decision since I do not want to compromise the system, I can not afford 2 systems so the choice is only Software Firewall or Dell SonicWall.
By the way, there is another option for this dell firewall for $128 a months and the only difference is that it is Passive/Active, any idea what this means and is it worth to pay double?
0
 
LVL 20

Assisted Solution

by:carlmd
carlmd earned 150 total points
ID: 39174212
Typically Passive/Active refers to a pair of firewalls where one is an HA backup to the other. That is probably what they are offering, since the price is double.

I would not recommend that you pay for that since this is a hosted service, and if "your" firewall was to die, they would be responsible to quickly replace it.

I would make sure that the Sonicwall being offered for that price includes at a minimum the subscriptions to GAV (Gateway AntiVirus), IP (Intrusion Protection), and Application Firewall.

I assume this Sonicwall would be dedicated to just you, for that price it should be, and you will be doing the administration. You will want access to do the admin so you can make changes and view logs as needed.
0
 

Author Closing Comment

by:Thomanji
ID: 39176524
Thank you both for giving me some advice. I decided to go with the hardware firewall but will setup a software firewall too.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now