2

I've been asked to look into placing a firewall between a webserver (Debian/Apache/PHP) in the DMZ and a backend MySQL database to achieve "isolation". Right now, iptables is running on the MySQL server and is only permitting TCP 22 and 3306 for SSH and MySQL respectively. However, this is apparently not good enough, and a hardware firewall is recommended.

Looking at Cisco's ASA 5505 for example, the max. throughput is 150Mbps, which seems like quite a step down compared to the Gigabit throughput that the Webserver and MySQL server enjoy now being on the same GbE switch.

Is this a concern? I can't really give you any numbers right now, but say your typical form-driven, data entry CRUD webapp with perhaps 100 concurrent user sessions at any time.

If this is impossible to determine without any real throughput numbers, can anyone suggest any methods of measuring? I was thinking of grabbing JMeter, simulating some load, and measuring bandwidth on a port mirror of the MySQL interface (or perhaps on the MySQL server itself) with ntop.

EDIT:

I bolded the item about the Gigabit Ethernet, which should have a theoretical throughput of 125MB/s, whereas the Cisco 5505 has a max throughput of 150Mbps (or ~18MB/s) and that's not accounting for NAT or ACL parsing etc (although I can't see NAT or ACL parsing being a big deal for a one-node network). Even still, the firewall would definitely be a potential bottleneck between the webserver and the MySQL server, seeing as a good, RAID1 setup with high-quality SAS disks and other server components should at least be able to push 50-75MB/s.

WuckaChucka
  • 375
  • 3
  • 8
  • 23

5 Answers5

2

What about two NICs on the webserver, one on the DMZ and one on the LAN?

Edit: Since the answer was accepted I am putting more details.

The webserver is necessarily public facing, the idea is to firewall that so only ports 80,443 are publicly accessible. Then internally it can communicate with the database server on a LAN interface. This also has the advantage to putting your public traffic on a separate interface from your internal traffic. This is a very common configuration and provides extra security because public traffic and internal traffic are physically separated, instead of relying on a firewall.

Amala
  • 529
  • 2
  • 14
  • What does that achieve? If the webserver gets rooted, it's on both networks. – WuckaChucka Sep 07 '10 at 20:01
  • 1
    Yes, your webserver would be a point of entry to your network. But what about closing all ports except 80,443 on it? The advantage to this over your current (not proposed) is you don't have to open ports on your mysql server. Your proposed DMZ-LAN connection is good, but you have to deal with the router in the middle and potentially spend big money for a high throughput router. – Amala Sep 08 '10 at 12:18
  • Only required ports would be open, regardless: the webserver and the MySQL server will be running host-based firewalls (not to mention they won't have services listening for any other ports). My point exactly re: the router/firewall in between: unless there's some ARP spoofing scenario I can't wrap my head around, if the webserver gets owned, it has the auth token to the database server and can (at the very least) read/write to all tables in the database. – WuckaChucka Sep 08 '10 at 13:53
  • I'm going to go with this configuration and create a "data" VLAN that the multi-homed webserver and database server will be the only members of. – WuckaChucka Sep 08 '10 at 14:48
1

I'm not quite sure where you're getting your max. throughput numbers because Cisco's website tells a different story (150Mbps).

It's a 100Mb ethernet connection and of course your real-world throughput will depend entirely on numerous factors, including what kind of filtering you have going on on the ASA. The advantage to having the ASA there is that you can add the AIP-SSC card and get intrusion prevention/detection also.

You could always try the ASA5505 from a vendor that allows returns. I can't speak to your throughput as I only have 5510s and 5520s. I use a 5505 personally from home and see no issues with throughput, but of course it's just me and my family.

GregD
  • 8,713
  • 1
  • 24
  • 36
1

Yes, it would be a bottleneck, and if you want to handle 1Gbps linespeed, you will probably need a bigger firewall.

However, do you really need to run at 1Gbps today? It might be a future requirement, but if you are currently only really using, for example, 5Mbps, you'd still have plenty of capacity left for now.

On the switch that is connecting the SQL and web server, you could use something to retrieve the port utilisation status from the MIBs to see how much bandwidth you really need. We use Cacti at work as it was free, quick and easy to set up. We can monitor switchport utilisations when we anticipate/experience performance issues, and use the evidence to decide what to do next.

Mitch Miller
  • 575
  • 3
  • 13
  • I see your point, and yes, measuring throughput is really the only way you can determine where your bottleneck lies. However, investing in 100Mb equipment today would be pointless as this is a new setup and all new hardware has or will be purchased. – WuckaChucka Sep 08 '10 at 14:53
  • 1
    BUt you have to ask yourself - if you don't really need more than 100Mbps throughput for the next couple of years, why not start with the "cheap" ASA5505, start measuring the utilisation trend and then upgrade it when you actually need to - in 2 years time, everything will be cheaper and faster. Overall, you'll save money and make your manager happy. – Mitch Miller Sep 08 '10 at 20:21
  • I agree with the comment. If right now you have a small fraction of 150Mb throughput requirement, at the point where this actually becomes a problem, getting the resources to buy a better firewall probably is less of an issue. You have a sucessful website, and you can justify spending $10,000 on a firewall. Right now, you have a nascent website, so spending $500 on the firewall seems like a good place to start. – dunxd Sep 09 '10 at 13:33
0

You're going to need to hook up some monitoring (there should be munin packages that get it all going easy cheesy) and get an idea of what you really need.

If you find you really are pushing beyond 100Mbps then you're simply going to need a faster firewall (or even something like a couple OpenBSD boxes in failover with carp+pfsync).

Rob Olmos
  • 2,240
  • 1
  • 15
  • 26
-1

The throughput of asa 5505 is 150 mbit/s. I do not see the benefit security wise. Probably decided by someone who does not know much about firewalling.

3molo
  • 4,330
  • 5
  • 32
  • 46
  • eh? A hardware firewall between your dmz and data is pretty much an ITindustry standard. You really don't see the benefits of it? – Chris Thorpe Sep 05 '10 at 19:47
  • No I don't, not when you can accomplish the same basic firewalling with iptables. – 3molo Sep 06 '10 at 03:16
  • if you dont want to go down the cisco off the shelf route, dont rule out a couple for bsd machines will the gigabit cards. – The Unix Janitor Sep 07 '10 at 09:07
  • @Chris: I agree, it is an industry standard (at least as far as simplified high-level DMZ diagrams go), but I can't seem to locate any documentation that supports my throughput vs. perceived security angle I'm trying to unravel here. – WuckaChucka Sep 07 '10 at 20:32
  • The ASA is pretty great at firewalling/VPN endpointing a branch office - most of those are connecting at far less than 100Mbps. For internal security, wouldn't you be better at looking at what a managed switch and network design can do for you? – dunxd Sep 09 '10 at 13:34