Four reasons to have a firewall

November 14, 2010

Recently I ran across someone asking the question 'why have a firewall?' As it turned out, he had several sorts of host-based firewall protection, but in thinking about the question I came up with four broad reasons that firewalls can be a good idea:

  • because your services and servers suck. You're forced to run things that were written by addled monkeys, in environments that either require random services of unknown and dubious security impact or just start them up every so often whenever they feel like it. Or perhaps you are stuck with known-vulnerable machines that you cannot upgrade for various reasons.

    (This is perhaps the leading reason to use firewalls in front of end user machines.)

  • because it simplifies and speeds up your internal architecture. Yes, you could put SSL and passwords and whatever on your internal memcached instance and your backend database servers and so on, or run them over a disconnected internal network. But it's simpler to just not let people talk to them, and it may give you faster performance.

  • because it reduces the amount of code that handles untrusted network input, what security people call the 'attack surface' (the code that aggressors could attack). Sure, your database server has its own access control system, but that's a lot of code that gets run on untrusted input and historically some of it has had bugs. Just not letting people talk to it at all reduces your risk, possibly substantially.

  • because it guards against mistakes and accidents in service and host configuration. Without a firewall you are one errantly started daemon, one omitted access control restriction, or one not yet fully installed and patched host away from a security vulnerability.

    (I once put a new webserver on the network and had hits from automated vulnerability scans within sixty seconds of port 80 starting to respond. This is apparently slow as these things go.)

Whether to use host-based firewalls or an external firewall is an implementation decision, but I tend to think that an external firewall is more reliable and simpler to configure and keep straight (if you have a non-trivial internal architecture of what is where and who can talk to it and so on). Of course it is also a single point of failure, as the no-firewall people keep reminding us, so the right thing to do is to have both well protected hosts and an external firewall.


Comments on this page:

From 129.97.109.15 at 2010-11-15 18:24:21:

Single point of failure in what sense? The common argument I've heard from no-firewall people about "single point of failure" is "if it dies, we're unprotected." So make sure it doesn't die; this is what clusters are for. They're expensive, but so are breaches. Or if you're especially paranoid, fail closed - your sites are down, but at least they're not being compromised because some sysadmin thought "it's behind a firewall so I don't need to lock it down."

Or did you have some other sense in mind, which you alluded to by saying "so the right thing to do is to have both well protected hosts and an external firewall"? Any pro-firewall person should be telling you to also protect the host, not just assume it's protected by the network firewall.

-- MikeP

By cks at 2010-11-15 21:28:57:

I was thinking 'single point of failure' in the security sense; if you're counting on a firewall for your security, a firewall failure or misconfiguration leaves you exposed. In theory this is not supposed to happen, but then I point back to an aphorism (securing hosts is not quite the same, but similar principles apply).

From 174.113.134.76 at 2010-11-16 09:17:23:

Availability is classically part of a good security stance too, but setting that aside, there's other reasons to combine host-based with network-based firewalls - the network-based one alone, even with no mistakes in configuration, still leaves you vulnerable if somebody can pop one of the machines behind it. If your webserver has no reason to talk to your Oracle server, don't let it, even if they're on the same network segment (and therefore probably the same firewall zone).

You know that, but your interlocutors may not.

Why yes, I do have this argument regularly, why do you ask? :-)

-- MikeP

Written on 14 November 2010.
« The ordering of SSL chain certificates
The language dilemma for production software »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Nov 14 22:13:35 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.