Securing Gateway Server

Dung Do
Dung Do used Ask the Experts™
To allow internet access to the internet I configured a gateway server on my small network of around 30 VMs. The gateway works well but I just want to make sure that this gateway server is as secure as possible since this gateway server is the only server in my network that has direct access to the internet. What security measures should I configure on this gateway server? Should I install a firewall? If so, how do I configure this firewall?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Software Engineer
Distinguished Expert 2018
there is a firewall in the linux kernel, the tooling to configure it is call iptables.
Fat chance it all ready has been installed.

Configure this firewall by blocking all you don't explicitely need for access to you gateway.
iptables uses several TABLES:  most important: filter  & nat.
Inside these tables you can configure CHAINS, for nat: PREROUTING, FORWARD, POSTROUTING) for filter (INPUT, OUTPUT, FORWARD).
The name implicates when a chain is executed w.rt. how the packet will be handled next.

The input filter chain is for access to the GATEWAY itself (port 22 ssh, possibly others..)
The output filter chain is strictly for packets sent from the gateway.
The forward filter chain is for packet passing though (defining access to your VM's on the local network).

the prerouting nat chain is for changing the destination address (DNAT) external IP -> internal IP f.e.
the postrouting nat chain is for changing the source address (SNAT, MASQUERADE)   internal ip -> external ip.
btanExec Consultant
Distinguished Expert 2018

As the gateway, there is couple scenarios to take since it is tasked to be the security egress and ingress to internet

- Web exchanges : allow only HTTPS or TLS traffic, this requires you to filter based on port and  service

- Domain name services : allow secure DNS discovery, not open relay exposed for other to query.

- Reverse Proxy : normally to block malicious web attack as well as check against remote services like RDP, so there is need to have content inspection. For HTTPS, there is need for SSL decryption before inspection. It would be using a WAF and doing ICAP for AV scanning..

- Forward proxy : mainly more of data leakage checks and detecting unknown callbacks from internal. Malicious or suspicious URL should trigger blocks so likely a content filter is required. There can be strict policy rules from visiting certain sites too.

- Remote access : more for remote connection which is mainly for IPSEC VPN or remote user having SSL VPN to access intranet services.

A quick sum up seems to suggest the perimeter with gateway to cover those above is sufficient since the internet use case is alot. You may want to create a DMZ and consider only necessary services exposed for public access and the remaining like database behind into the intranet.

Cloud DDOS and WAF is worthy to consider like Cloudflare, Akamai. There are managed services too using Cloud native services like AWS WAF etc.

Ultimately, even layer defence will still require hardening to be done and close all unnecessary ports and services. And consider doing a vulnerability scanning from external and internal to surface any inadvertent settings done wrong...
Ramasamy PanchavarnamSenior Technical Architect

If you are looking for only safer internet gateway, better use AWS NAT Gateway. It is aws managed service and you no need to worry about the scalability of internet pipe.
Scott SilvaNetwork Administrator

I would probably use one of the linux gateway/router distros out there... Easy to configure, and usually pretty safe...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial