Recently I ran across someone asking the question 'why have a firewall?'
As it turned out, he had several sorts of host-based firewall protection,
but in thinking about the question I came up with four broad reasons that
firewalls can be a good idea:
- because your services and servers suck. You're forced to run things
that were written by addled monkeys, in environments that either
require random services of unknown and dubious security impact
or just start them up every so often whenever they feel like it.
Or perhaps you are stuck with known-vulnerable machines that you
cannot upgrade for various reasons.
(This is perhaps the leading reason to use firewalls in front of end
- because it simplifies and speeds up your internal architecture. Yes,
you could put SSL and passwords and whatever on your internal memcached
instance and your backend database servers and so on, or run them over a
disconnected internal network. But it's simpler to just not let people
talk to them, and it may give you faster performance.
- because it reduces the amount of code that handles untrusted network
input, what security people call the 'attack surface' (the code that
aggressors could attack). Sure, your database server has its own access
control system, but that's a lot of code that gets run on untrusted
input and historically some of it has had bugs. Just not letting people
talk to it at all reduces your risk, possibly substantially.
- because it guards against mistakes and accidents in service and host
configuration. Without a firewall you are one errantly started daemon,
one omitted access control restriction, or one not yet fully installed
and patched host away from a security vulnerability.
(I once put a new webserver on the network and had hits from automated
vulnerability scans within sixty seconds of port 80 starting to
respond. This is apparently slow as these things go.)
Whether to use host-based firewalls or an external firewall is an
implementation decision, but I tend to think that an external firewall
is more reliable and simpler to configure and keep straight (if you have
a non-trivial internal architecture of what is where and who can talk to
it and so on). Of course it is also a single point of failure, as the
no-firewall people keep reminding us, so the right thing to do is to
have both well protected hosts and an external firewall.