LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 05-20-2009, 11:16 PM   #1
JohnRock
LQ Newbie
 
Registered: May 2009
Posts: 28

Rep: Reputation: 15
Centos Firewall...needed if already behind a firewall?


Basic security advice sought

I am setting up a simple production network with 1 external Firewall pointing to one CentOS webserver running Tomcat. There will be one CentOS box running MySql behind the webserver (only accessible from the webserver and not the Internet).

Given that basic setup and the fact that I will be the only user accessing either of those boxes, my question is this:

Is it neccessary for me to run the default CentOS firewall on each server if they are already behind a firewall? (And the database server is not even accessible outside the private lan)

Same question for SELinux?

Would it be better for performance to disable them entirely? Are they still neccessary even if behind an external firewall?

Thanks for any advice you can give!
 
Old 05-21-2009, 01:56 AM   #2
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Quote:
Originally Posted by JohnRock View Post
Is it neccessary for me to run the default CentOS firewall on each server if they are already behind a firewall? (And the database server is not even accessible outside the private lan)

Same question for SELinux?

Would it be better for performance to disable them entirely? Are they still neccessary even if behind an external firewall?

Thanks for any advice you can give!
This is more of a question of how paranoid you are - your paranoia level dictates if it's necessary or not and there's no way for us to know just how paranoid you are 8).

Your system will work fine without a local firewall policy, but having it will increase your security posture. If the rules are written efficiently, it probably wont have any negative effects on performance. However, it will be slightly more work to manage your firewall policies. Everything is a trade off: performance, usability, security...

As for SELinux, it was written mostly by NSA to harden the OS. Again, your paranoia level can only decide to keep it or disable it. Personally, I would leave it enabled.

If the service you're providing is taking a dump because of load, then perhaps you should look at the design and expandability of your systems rather than eliminate what are considered core security features.
 
Old 05-21-2009, 04:26 AM   #3
JohnRock
LQ Newbie
 
Registered: May 2009
Posts: 28

Original Poster
Rep: Reputation: 15
Thanks for your well spoken advice. I guess I am in the category of 'paranoid of being paranoid'....

I have not yet had any need to create any custom policies for my local firewall or SELinux - I am literally just running them in their 'right out of the box settings', with HTTP and sh enabled. So I wasn't sure if leaving them on did in fact provide more security or was perhaps just redundant with an external firewall. I don't have the experience yet to know. Thanks for the input!
 
Old 05-21-2009, 08:18 AM   #4
ncsuapex
Member
 
Registered: Dec 2004
Location: Raleigh, NC
Distribution: CentOS 2.6.18-53.1.4.el5
Posts: 770

Rep: Reputation: 43
Im not an expert on the matter and I've often wrestled with this idea. We have a really highend firewall on our network and I've turned off all the firewalls on the internal CentOS servers. There are other measures you can take to secure your servers if you are sure your external firewall is secure and stable.

You said you were the only user. But that doesnt mean others will try to gain access.

Lock down the servers to only people who NEED access. You can use AllowUsers in /etc/ssh/sshd_config to only allow certain users.
Change the default ports services run on. This is tricky and requires some knowledge about your environment so you dont lose access to anything
You can also add entries to /etc/hosts.allow /etc/hosts.deny that only allow IPs on you internal network to access certain services
You can disallow root access.
Turn off all unnecessary services
I have selinux disabled as it adds another level of troubleshooting if something doesnt work. Also I haven't had time to really learn it. Im not advocating this for others. But be ready to do extra troubleshooting if something goes wrong if you have it enabled.

If you do decide to use the CentOS firewalls be ready to learn how to write/edit the rules so you dont block anything you dont want to. Adding another level of security also adds another level of troubleshooting.
 
Old 05-21-2009, 03:10 PM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by JohnRock
Would it be better for performance to disable them entirely? Are they still neccessary even if behind an external firewall?
I have RHEL servers behind a perimeter firewall, but I still run a host level firewall on each of the servers. Two reasons in my case:
  1. There's a lot of red tape I have to go through just to get an ACL changed on the perimeter firewall (which is owned by another department), so I generally request a wide net with those ACLs and then fine-tune packet filtering on the host side.
  2. Setting up iptables rules with LOG targets can give you an early look at access attempts on your host.

My 5 cents.
 
Old 05-22-2009, 03:17 PM   #6
JohnRock
LQ Newbie
 
Registered: May 2009
Posts: 28

Original Poster
Rep: Reputation: 15
Thanks for the great insight everyone. Very helpful.

It appears to me that in my case, since I have all incoming ports blocked from the firewall(WatchGuard Firebox x1250e)except http(80) and ssh(22), that I would not need to concern myself with redundant port/service blocking on the server itself. I would think that the only thing I need to do is make my ssh as secure/hardened as possible. Is that sound thinking?

That said, given that I do not have a private network to restrict ssh access to (I must access ssh from a non fixed ip), what steps can I take to secure ssh ? It seems terrible to me to think that someone can simply ssh into the box and try to guess the root password....

What should I do?
 
Old 05-22-2009, 03:24 PM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by JohnRock
It appears to me that in my case, since I have all incoming ports blocked from the firewall(WatchGuard Firebox x1250e)except http(80) and ssh(22), that I would not need to concern myself with redundant port/service blocking on the server itself. I would think that the only thing I need to do is make my ssh as secure/hardened as possible. Is that sound thinking?
IMO, yes.

Quote:
Originally Posted by JohnRock
That said, given that I do not have a private network to restrict ssh access to (I must access ssh from a non fixed ip), what steps can I take to secure ssh ?
This is probably a question for another thread, but I will mention two things:
  1. I wrote up a brief guide on basic sshd hardening some time ago.
  2. There are a number of existing good threads on LQ that address this topic.
 
Old 05-22-2009, 03:49 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
Quote:
Originally Posted by anomie View Post
Setting up iptables rules with LOG targets can give you an early look at access attempts on your host.
I onehundred percent agree. Apart from combatting single point of failure problems iptables rules provide auditing capabilities you won't get otherwise.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS Firewall issue. vasco.debian Linux - Security 4 02-24-2009 12:48 AM
Firewall/Anti-Spyware SW for CentOS Linux31 Linux - Security 2 09-19-2007 06:06 PM
firewall help needed brianmay27 Linux - Security 1 08-01-2007 12:48 AM
centos - firewall up - ftp no permissions sir-lancealot! Linux - Security 7 08-31-2006 05:40 PM
CentOS 4.3 Outside of Firewall msound Linux - Security 1 08-22-2006 08:58 PM


All times are GMT -5. The time now is 06:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration