Scenario / Questions
My hosting company says IPTables is useless and doesn’t provide any protection. Is this a lie?
I have two, co-located servers. Yesterday my DC company contacted me to tell me that because I’m using a software firewall my server is “Vulnerable to multiple, critical security threats” and my current solution offers “No protection from any form of attack”.
They say I need to get a dedicated Cisco firewall ($1000 installation then $200/month each) to protect my servers. I was always under the impression that, while hardware firewalls are more secure, something like IPTables on RedHat offered enough protection for your average server.
Both servers are just web-servers, there’s nothing critically important on them but I’ve used IPTables to lock down SSH to just my static IP address and block everything except the basic ports (HTTP(S), FTP and a few other standard services).
I’m not going to get the firewall, if ether of the servers were hacked it would be an inconvenience but all they run is a few WordPress and Joomla sites so I definitely don’t think it’s worth the money.
Find below all possible solutions or suggestions for the above questions..
Hardware firewalls are running software too, the only real difference is that the device is purpose built and dedicated to the task. Software firewalls on servers can be just as secure as hardware firewalls when properly configured (note that hardware firewalls are generally ‘easier’ to get to that level, and software firewalls are ‘easier’ to screw up).
If you’re running outdated software, there’s likely a known vulnerability. While your server might be susceptible to this attack vector, stating that it is unprotected is inflammatory, misleading, or a boldface lie (depends on what exactly they said and how they meant it). You should update the software and patch any known vulnerabilities regardless of the probability of exploitation.
Stating that IPTables is ineffective is misleading at best. Though again, if the one rule is allow everything from all to all then yeah, it wouldn’t be doing anything at all.
Side Note: all my personal servers are FreeBSD powered and use only IPFW (built-in software firewall). I have never had a problem with this setup; I also follow the security announcements and have never seen any issues with this firewall software.
At work we have security in layers; the edge firewall filters out all the obvious crap (hardware firewall); internal firewalls filter traffic down for the individual servers or location on the network (mix of mostly software and hardware firewalls).
For complex networks of any kind, security in layers is most appropriate. For simple servers like yours there may be some benefit in having a separate hardware firewall, but fairly little.
Running a firewall on the protected server itself is less secure than using a separate firewall machine. It does not have to be a “hardware” firewall. Another Linux server set as a router with IPTables would work fine.
The security problem with firewalls on the protected server is that the machine may be attacked through its running services. If the attacker can get root level access, the firewall can be modified or disabled or bypassed through a kernel root-kit.
A separate firewall machine should have no services running except for SSH access and that SSH access should be limited to administration IP ranges. It should be relatively invulnerable to attack, barring bugs in the IPTables implementation or TCP stack, of course.
The firewall machine can block and log network traffic that shouldn’t exist, giving you valuable early warning of cracked systems.
If your traffic is low, try a small Cisco ASA unit like the 5505. It’s in the $500-$700 range and definitely purpose-built. The co-lo is sorta giving you BS, but their rates for the firewall are also unreasonable.
I think it also depends on performance. What a software/server based firewall does using CPU cycles, a hardware firewall can do with purpose built chips (ASICs) which leads to better performance and throughput.
From your perspective the real difference between “software” (on the machine itself) and “hardware” firewalls is that in the first case the traffic is already at the machine you want to protect, so it’s potentially more vulnerable if something has been overlooked or misconfigured.
A hardware firewall essentially acts as a pre-filter, which only allows specific traffic to reach and/or exit your server.
Given your use case, and assuming of course that you have proper backups, the extra expense would be very hard to justify. Personally I’d continue with what you have, although perhaps using a different hosting company.
Late to the game on this one. Yes, the service provider has no idea what they are talking about. If you are a competent IPTABLES administrator, I would say that you are more secure than an out-of-the-box hardware firewall. The reason is that when I have used them, the nice gee-whiz interface does not reflect the actual configuration of what traffic is allowed through. The vendors try to dumb it down for us dumb people. I want to know about every possibility of every packet going in and out.
IPTABLES is not for everyone, but if you are serious about security, you want to be as close to the wire as possible. Securing a system is easy – reverse engineering a blackbox firewall is not.
Disclaimer: This has been sourced from a third party syndicated feed through internet. We are not responsibility or liability for its dependability, trustworthiness, reliability and data of the text. We reserves the sole right to alter, delete or remove (without notice) the content in its absolute discretion for any reason whatsoever.