firewalls and webservers request for comments

[Brian Densmore]

> -----Original Message-----
> From: Dustin Decker
> 
> I would say one of the primary benefits of a dedicated 
> firewall is found in
> the very clear separation of duties across hosts.  For 
> example, I make use
> of IPCop frequently with clients.  If I need a port open for 
> them (which
> isn't always the case) then I can forward it.  In those cases 
> where I have a
> handful of Windows users, I have the added benefit of using 
> proxy services,
> tuned to the satisfaction of management, etc.
Separation is good, but can be costly too.

> 
> My personal favorite is intrusion detection.  In the case of 
> IPCop, I make
> use of idabench to log all packets in/out of the network in 
> binary format,
> farm it out to my analysis units, and replay through snort.  
> Any of this
> type of activity, if performed on the web server, mail 
> server, or what have
> you, adds an unnecessary load to that system.  In addition, with extra
> services floating on the box, the odds that I will drop 
> packets increases -
> and I only have to miss one to miss the Really Bad Packet(tm).
I guess the question is what kind of load does iptables and idabench
and snort place on a machine? Is it big enough to cause dropped packets?
What about processor speed and memory? Does intrusion detection cause
a problem only on machines below a certain CPU speed and/or below
a certain memory limit?

> 
> One other concern I would have is for vulnerable software.  
> If I have an
> apache server behind a firewall, and a new vulnerability is 
> discovered,
> exploitation of it doesn't place my firewall at risk, where 
> as root access
> gained through [insert hack of the week here] quickly gains 
> the ability to
> disable iptables entirely.
This is of course the primary reason I can think of for separation,
but by the firewall forwarding doesn't that leave the webserver
vulnerable anyway? Of course it would still keep the firewall
intact and thus prevent the compromised machine to be wide open.
Or would it?

>  
> Just for fun, while looking at the ports you have listed 
> above, I wonder if
> you even need port 993 open.  You mentioned in a previous 
> post that you use
> webmail.  If this is the _only_ method you use to check your mail, 993
This is correct. I don't need that port because most of the time I
use the webmail interface, but occasionally I use an IMAPS client.
I could do away with that, but wanted to do the IMAPS server and client
just to do it. 

PS Anyone notice the KCStar ad in last Sunday's paper for a Linux tech?