What is the worst that could happen if I don't setup a hardware firewall? I am planning to just install a software firewall. I am planning to deploy a medium traffic web site and the information on the database will be important. But, I can protect the database with really good passwords.
Asked
Active
Viewed 987 times
4 Answers
1
The worst might be that you fall victim to a zero day exploit on Windows, IIS or the database that might have been prevented had you created an addtional layer of security.
Passwords won't protect you from exploiting i.e. a buffer overflow.
If it's important, secure it as good as reasonable possible.
Sven
- 98,649
- 14
- 180
- 226
-
is there any webhosts that offer firewalls installed with their dedicated servers. I am thinking about going with tailormadeservers.com. What do you think about them? – user19335 Sep 10 '09 at 23:59
0
Well, it's like leaving the front door to the bank open at night and daring someone to come in and try cracking the safe, the cash drawers, safety deposit boxes, and hoping that you haven't forgot to secure something. Security starts at the perimeter of your network.
joeqwerty
- 109,901
- 6
- 81
- 172
-
is there any webhosts that offer firewalls installed with their dedicated servers. I am thinking about going with tailormadeservers.com. What do you think about them? – user19335 Sep 10 '09 at 23:58
-
I disagree... A properly configured Windows server can prevent any connection other than port 80/443. Putting a firewall that passes port 80/443 thru to the web server would not make any difference if the web server is configured to only listen on 80/443... – Dscoduc Sep 11 '09 at 04:45
-
My point is that without a hardware firewall at the network perimeter you've let the bad guys in to the building where they're free to hammer away until they crack the safe. Security is best implemented in layers and a perimeter firewall should be the first layer. – joeqwerty Sep 11 '09 at 13:27
0
It is basically impossible to make a Windows server completely secure. You absolutely should have a hardware firewall. It's not that expensive; I just checked Newegg.com and found that you can get a Netgear FVS336G firewall for under $300. (I do recommend Netgear; I have been burned by other brands such as Linksys, but I have not been burned by Netgear yet.)
The basic problem with Windows is that Microsoft put in a huge number of features. Each feature is a possible point of attack. Even if you never use the features, the features are in Windows, and if any one of them has a weakness, some black hat can crack your server. And a single incident where someone cracks your server and copies all your data would seriously make you wish you had spent that $300 for a firewall. (Even worse if the cracker defaces or trashes your server and you need to rebuild it...)
A firewall is a small, stripped-down device. It doesn't have the .NET runtime, it doesn't have an email server, it doesn't have a whole bunch of stuff that Windows has. So it's much easier to make a firewall secure. You set up the firewall to only permit traffic on the ports your business actually uses, and close all the others.
With a software firewall, if someone can find an exploit in the Windows networking code itself, your machine is still cracked. With a hardware firewall, first the attacker has to find an exploit (in a much tougher target), and then having defeated that, might still be stopped by your software firewall. Layered defense.
If you really don't want to pay $300 for a firewall, here's an option: get an old PC, put two network cards into it, take out its hard drive, and boot from a Devil-Linux CD.
steveha
- 1,019
- 3
- 11
- 16
-
How about this... I can configure a Win2k8 server with built-in firewall or Windows IPSec to only listen on port 80 and 443. Now all of those features are unavailable to all external connections. How would an external firewall be any better than that? Any penetrations would have to come over port 80 or 443 and any $300 firewall you put in front of the web server would pass that traffic right on thru to the web server... – Dscoduc Sep 11 '09 at 04:50
-
Using a soft firewall with a Windows system means that you are trusting the Windows IP networking stack to not have any exploits. I just did a quick Google search, and found that just this week Microsoft released Security Bulletin MS09-048 which covers critical security patches to fix exploits against the IP networking stack. If I'm reading it correctly, one of the exploits allows remote code execution on a Windows Server 2008 system; another one allows a DOS attack. These attacks hit before the firewall software gets a chance to do anything. Thus, I still recommend a hardware firewall. – steveha Sep 11 '09 at 23:32
-
When you use a hardware firewall, or Devil-Linux, you are using some other IP networking stack, so presumably that stack could have exploits. But in practice, both Linux and OpenBSD (a hardware firewall probably uses one of those) have far fewer exploits than Windows, so you are gaining security. And, even if an exploit existed for your hardware firewall, there are plenty of worms that can automate cracking your server; I don't know how many worms out there can automate first cracking a firewall and then cracking the server. Defense in layers is always better than a single defense. – steveha Sep 11 '09 at 23:52
0
You need to have a better understanding of the risks associated to running a (any) web server. There are OS related risks and Web Server risks. As for the applications risks, well that's for a different discussion.
While I know it's popular to say that Windows is insecure the my opinion is that every operating system can be made secure/insecure depending on your skills and diligence in applying patches and updates.
For securing a Windows Web Server you could rely on the built-in Windows firewall software to lock down the open ports. Another option is to leverage IPSec to prevent any communication from the internet to the server except over port 80/443.
For web server risks you will find that both Apache and IIS have their share of vulnerabilities. The key here is to keep the patches and updates current.
Dscoduc
- 1,095
- 2
- 8
- 15