Hello all,

I'd really appreciate your help with this dilemma...

I am setting up a dedicated web server for a fairly major online business. I have looked at my options and due to budget constraints I think I will have to choose between:

1) A server from a good company (such as Dedipower) with good support but no separate hardware firewall. I think I can get this for around £80 ($120) per month.
2) A server from a cheaper company (probably 1and1) with external hardware firewall. This would be around £80 ($120) per month including the firewall and lots of other freebies such as SSL certificates. I have heard bad things about 1and1 but their offers are hard to resist...

I guess my questions are really:
a) How important for security is an external hardware firewall? The web server would be a Bastille server with carefully configured iptables anyway.
b) Can anyone think of a good compromise? Are there any companies that offer good support and also hardware firewall, for around £80-90 ($120) per month.

Thanks for your help.

iptables is secure and stable. Don't think you need an hardware firewall. If you configure iptables really carefully, then you will not have any problems.

Go for the 1and1 option.

If your talking about off site dedicated hosted servers? then you wont need to bother with firewall etc, that will be taken care of for you by the hosting company

Depends what you mean by that. Every hosting company is going to have some kind of firewall between the wild Internet and your instance, but you won't necessarily be able to submit change requests for it. Usually the provider's firewall is wide-open to your IP by default, so it's not necessarily doing much good unless you have the ability to submit requests for the rules that are deployed.

That being said, if you really know how to configure a firewall properly (hint: most people who think they know how actually don't), then there really isn't much benefit to having a hardware firewall too.

Maybe if the firewall was a beefy enterprise-grade box it would offer some extras beyond what Netfilter can do (due to in-hardware handling of packets vs. strictly software), but what you're likely to get as a dedicated firewall is a branch-office type box.