Why should I firewall servers?

Advantages of firewall:

  1. You can filter outbound traffic.
  2. Layer 7 firewalls (IPS) can protect against known application vulnerabilities.
  3. You can block a certain IP address range and/or port centrally rather than trying to ensure that there is no service listening on that port on each individual machine or denying access using TCP Wrappers.
  4. Firewalls can help if you have to deal with less security aware users/administrators as they would provide second line of defence. Without them one has to be absolutely sure that hosts are secure, which requires good security understanding from all administrators.
  5. Firewall logs would provide central logs and help in detecting vertical scans. Firewall logs can help in determining whether some user/client is trying to connect to same port of all your servers periodically. To do this without a firewall one would have to combine logs from various servers/hosts to get a centralized view.
  6. Firewalls also come with anti-spam / anti-virus modules which also add to protection.
  7. OS independent security. Based on host OS, different techniques / methods are required to make the host secure. For example, TCP Wrappers may not be available on Windows machines.

Above all this if you do not have firewall and system is compromised then how would you detect it? Trying to run some command ‘ps’, ‘netstat’, etc. on local system can’t be trusted as those binaries can be replaced. ‘nmap’ from a remote system is not guaranteed protection as an attacker can ensure that root-kit accepts connections only from selected source IP address(es) at selected times.

Hardware firewalls help in such scenarios as it is extremely difficult to change firewall OS/files as compared to host OS/files.

Disadvantages of firewall:

  1. People feel that firewall will take care of security and do not update systems regularly and stop unwanted services.
  2. They cost. Sometimes yearly license fee needs to be paid. Especially if the firewall has anti-virus and anti-spam modules.
  3. Additional single point of failure. If all traffic passes through a firewall and the firewall fails then network would stop. We can have redundant firewalls, but then previous point on cost gets further amplified.
  4. Stateful tracking provides no value on public-facing systems that accept all incoming connections.
  5. Stateful firewalls are a massive bottleneck during a DDoS attack and are often the first thing to fail, because they attempt to hold state and inspect all incoming connections.
  6. Firewalls cannot see inside encrypted traffic. Since all traffic should be encrypted end-to-end, most firewalls add little value in front of public servers. Some next-generation firewalls can be given private keys to terminate TLS and see inside the traffic, however this increases the firewall’s susceptibility to DDoS even more, and breaks the end-to-end security model of TLS.
  7. Operating systems and applications are patched against vulnerabilities much more quickly than firewalls. Firewall vendors often sit on known issues for years without patching, and patching a firewall cluster typically requires downtime for many services and outbound connections.
  8. Firewalls are far from perfect, and many are notoriously buggy. Firewalls are just software running on some form of operating system, perhaps with an extra ASIC or FPGA in addition to a (usually slow) CPU. Firewalls have bugs, but they seem to provide few tools to address them. Therefore firewalls add complexity and an additional source of hard-to-diagnose errors to an application stack.

Related Posts:

  1. SSL Error: unable to get local issuer certificate
  2. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  3. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  4. Why does the URL http://a/%%30%30 crash Google Chrome?
  5. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
  6. Can an attacker use inspect element harmfully?
  7. Where does Internet Explorer store saved passwords?
  8. Infected Files – what to do [closed]
  9. WordPress 4.7.1 REST API still exposing users
  10. Should I escape wordpress functions like the_title, the_excerpt, the_content
  11. Why does WordPress need my private ssh key to update?
  12. When to use esc_html and when to use sanitize_text_field?
  13. Why does WordPress have more than one salt?
  14. What is the ideal setup to address security concerns?
  15. Will there be security updates for 3.1 once 3.2 is released?
  16. WordPress it’s cleaning a custom query_var to avoid sql injections?
  17. Can someone explain the use cases of esc_html?
  18. Tips for finding SPAM links injected into the_content
  19. Close a wordpress blog – keep site as it is but prevent hacks
  20. Is WordPress vulnerable to the httpoxy?
  21. Prevent setup-config.php page from appearing when host blocks database
  22. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  23. WordPress and Security
  24. Is there a security risk giving someone temporary access to my blog’s code?
  25. Is /wp-login.php?redirect_to[] exploitable?
  26. How to properly sanitize/secure a WP Query coming from the front end
  27. brute force attack even though it is limited by IP
  28. What should I do about hacked server?
  29. How do I authenticate WP users from a chrome extension?
  30. Website is being flooded [closed]
  31. Is there any point setting the keys and salts in wp-config.php?
  32. Auth cookie value security risk?
  33. Where to store OAuth 2.0 client id and secret?
  34. Security – Shortcode injection attack
  35. Registration Plugin – Recaptcha integration
  36. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  37. How to combat flooding admin-ajax.php?
  38. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  39. Moving away from MD5: Where to declare the custom global $wp_hasher?
  40. Would it be dangerous to send all the wp_options to javascript file?
  41. Changing Table Prefixes – once done, am I good to go going forward?
  42. Should I disable directory listing for wp-includes?
  43. Safety side of storing emoji into database
  44. How can I safely hide the fact that my website runs on WordPress? [closed]
  45. How can I display nickname instead username in links
  46. My WordPress Websites are always under attack
  47. Is there value in using a wp_nonce for POST requests?
  48. How to hide easy access to my website temporarily?
  49. Can I Remove xmlrpc.php completely?
  50. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  51. Secure WordPress: Change admin
  52. Changing the default header name
  53. Is it safe to use a global wp nonce per user instead of a nonce per action?
  54. Wordfence detects change in wp-admin/includes/upgrade.php
  55. Any any insecure http:// URLs left in wordpress?
  56. Will there be security updates for WordPress 4.9.9
  57. White screen of death on admin pages after moving wp-config up two levels for security
  58. Can a WordPress administrator see other users’ passwords?
  59. Why my plugins are updating automatically?
  60. Any known bugs that could cause disappearance of the wp_users table?
  61. On new server, site got hacked, permissions a bit strange? Please help
  62. Privilege escalation bugs in 2.9?
  63. 404/500 error on content images if Referer header is from another domain [closed]
  64. Content-Security-Policy blocks WordPress check boxes from being activated
  65. Restrict Access without Creating Users
  66. Switching between security plugins is a risk?
  67. How to obfuscate wp-config.php or code
  68. wordpress admin security
  69. Why do people use “admin” username by default? [closed]
  70. Are major WordPress updates mandatory for security?
  71. i moved wp-config.php outside of public html and this broke my website
  72. Is it safe to use the basic administration with reduced rights for private member space
  73. WordPress Database Re-installed (Hacked)
  74. Verifying that I have fully removed a WordPress hack?
  75. WordPress Security tools
  76. Robots.txt file not updating
  77. How can I stop other plugins from using my class’ sensitive methods?
  78. wordpress security (only one part of the site)
  79. What are WordPress Current Security Issues in 2017?
  80. wp-config.php moved above root results in no plugin updates
  81. Password-protect feed and make it usable in major aggregators
  82. Folder Permissions + Security Concerns
  83. Malware/Permission bug removal?
  84. Could a user account with a stolen password compromised entire WP site?
  85. how to find the way they hacked my WP site
  86. is this code properly secured
  87. Run a security scan on WordPress site that has .htaccess password [closed]
  88. nginx + wordpress: Best practices for configuring it to be secure, reliable, and fast? [closed]
  89. How to get real password (before encrypt) when register a user?
  90. Directory to store secure file
  91. checking the form submit in right order
  92. How can I give someone server access to only duplicate and modify a site?
  93. Our security auditor is an idiot. How do I give him the information he wants?
  94. Is it normal to get hundreds of break-in attempts per day?
  95. I am under DDoS. What can I do?
  96. How can I implement ansible with per-host passwords, securely?
  97. REJECT vs DROP when using iptables
  98. Does drilling a hole into a hard drive suffice to make its data unrecoverable?
  99. Can you alter the default wordpress strong password requirements?
  100. how to sanitizing $_POST with the correct way?

Leave a Comment