Posted: 2013-01-15 20:49:36 by Alasdair Keyes
Everyone knows the necessity of firewalls on a modern computer systems, protecting all the way from the heavy iron down to your home PC, however I've noticed a strange trend in companies to just not bother with software firewalls at all.
I know most companies have many firewall appliances which restrict access to various parts of their network and combined with correct routing can lock down a network very tightly, however I always think it's paramount to run software firewalls on all your boxes.
No one designs their network to get attacked, however any network that has been in production for several years will have been changed, re-patched, ammended, VLANs updated, routes added, that temporary firewall rule exception you added to grant an entire subnet access on all ports just because you couldn't see why you were getting connection errors. It's only natural that in that time mistakes will get made, possibly giving a small opening to someone you don't want in your network, and with the plethora of complex network penetration/hacking scripts about, it only takes one script to go un-noticed for a couple of months, probing and prodding at your network and it could have found a way through your to some very sensitive parts of your infrastructure.
Software firewalls certainly shouldn't be your only protection, however I would consider them the first and last line of defense. For shared hosting web servers they are the first line of defense against a nasty binary that has been uploaded through an insecure PHP script. For internal and backend systems such as database servers they are the last line of defense when someone has managed to get through the rest of your network security and is one step away from brute forcing your MySQL logins.
One excuse that is given is that it adds undue load to a server, yes, to a degree this is correct, however if you've got a server that has so many hundreds of thousands of connections that a software firewall is bogging it down, you should really look at some kind of load-balancing so that you can spread that load over more hardware.
Having spent most of my career working in Shared Hosting environments, we actively open up our networks to potential compromise. Anyone can buy shared hosting for very little money and run pretty much any PHP/Ruby/Perl/Python script they wish, and with the advent of more and more Wordpress and Joomla exploits, it doesn't take long before you'll find some shady scripts attempting to be executed.
If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz
© Alasdair Keyes
I'm now available for IT consultancy and software development services - Cloudee LTD.
Happy user of Digital Ocean (Affiliate link)