Good Firewalling practice for internet facing servers?

Question

Does it make sense to firewall an internet facing server, say a webserver? Assuming I did not want to restrict anyone from accessing the webserver in its capacity to serve web pages, I would be blocking other servcices on the machine.

If the machine is locked down adequately, would this be necessary?

One risk I could think of is if a vulnerability was exploited on the webserver and the attacker tried to open a reverse command shell....using the firewall to block outgoining connections initiated by the webserver would stop that.

However, is the overhead of a firewall worth protecting for that scenario? Are there other attack scenarios I may be missing?

Does having a firewall in front of an internet facing server not also increase the chances of the server being inaccessable due to a DoS attack (easier to do on a firewall from what I understand).

What about an IDS....same arguments?

Michael · Answer 1 · 2011-05-22T01:14:19.360

Unless you severely misconfigure your firewall, it can only help. The overhead of firewalls is usually pretty negligible unless you have a really complicated ruleset. Remember, all it is doing is checking incoming packets against a set of rules. Also remember that firewall setups are a given in even the smallest enterprise environments with public facing servers. Even a small home router or desktop can really only benefit from having a firewall. Think of your login password. The chances of someone breaking into your house and using your computer are slim, but the "overhead" of password protecting your account is so negligible that you might as well just do it. You've provided no information as to your setup other than that you are running a web server with a public IP. I can't tailor my answer to your setup.

It is likely you have a few other ports open on that machine, (ie. SSH or some NetBIOS or RPC stuff if it is Windows). A firewall would allow you to leave port 80 open for general business while preventing possible exploits of other services you have running on your box, knowingly or unknowingly.

Additionally, some most firewall packages like PF and Iptables can be used to thwart scanning and abuse of your legitimate public facing servers. For example, if you have a service being brute forced by a bot, you can block that IP with your firewall while allowing other IPs to continue accessing your webserver. Most firewalls have built-ins or addons to automate this process (ie. fail2ban and sshguard).

A properly configured firewall should not make you more susceptible to a DoS attack. It would help prevent against a SYN flood because you can block offending IPs. Of course, source IPs can be forged to random values to avoid this. However, PF uses "synproxy" which can mitigate this. A Teardrop attack could be prevented by a firewall as well (ie. the "scrub" anchor).

In summary, there are plenty of other attack methods that a firewall can thwart. There is more to firewalls than just blocking and allowing ports.

I can't speak much about IDS.

Source: I have experience setting up firewall/gateways on FreeBSD in IPv4 and IPv6 environments.

In a DDoS attack where the firewall is overwhelemed with traffic, would the webserver also then be inaccessible? — Sonny Ordell, May 22 '11 at 00:42
This question is way too vague to really answer well. What operating system are you using? Are you continually being DDoSed? — Michael, May 22 '11 at 00:59
It was a hypothetical, general question. I am not getting DDoSed, but from what I have been reading it is easier to disable a firewall than a production server. — Sonny Ordell, May 22 '11 at 01:36

score 1 · Answer 2 · answered May 22 '11 at 04:22

A firewall is, of course, critical. But, correctly configuring the firewall requires:

white listing the specific outgoing traffic that the firewall is allowed to perform. (i.e., the only traffic that the webserver might consider would be OS updates). Blocking this can minimize the possibility of a reverse shell being used to install malware on your webserver. Likewise, blocking DNS resolution can also limit the possibility of the initial buffer overflow to do damage.
blocking all ports not known to be used

Finally, as important as a firewall is, logging (and monitoring the logs) is also critical.

score 0 · Answer 3 · answered May 22 '11 at 04:10

The short answer there is no excuse not to have a firewall in front of an internet facing server. The likelyhood of a DDoS attack that would cause your firewall to fail would most likely cause your sever to fail as well. This is known as failing closed, to stop accepting requests in the event of malfunction.

With an IDS it's different, mainly because it serves an entirely different function. IDS is all about detection and traditionally sits behind your firewall but in front of internet facing servers. IF your IDS has had IPS functions and it got overloaded I'd say you'd want it to fail open, continue accepting requests.

Essentially Defense-in-Depth is the way to go, Firewall, Security Monitoring, Hardened Servers.

Also I agree Cocoabean, firewals make you significantly less likely for many types of DoS attacks.

Could a Firewall have prevented the attack on the sony playstation network? — Sonny Ordell, May 23 '11 at 23:31
Totally different situation. Sony has firewalls and IDS and it wasn't a DDoS attack that you are describing. — JamesBarnett, May 24 '11 at 21:04

Good Firewalling practice for internet facing servers?

3 Answers3