firewall / web server on the one pc- bad practice?

lockmac

Senior member
Dec 5, 2004
603
0
0
Hi their. I am just wandering, is it bad practice to have a firewall installed on, say a web server?

Or should I have separate firewall server, and then a separate web server?

If so, why?

Thanking you guys!
 

lxskllr

No Lifer
Nov 30, 2004
59,438
9,960
126
Since nobody educated has answered, I'll throw in my 2¢ :^D I don't think it would be bad to run a firewall on your web server, but I don't like the idea, as it doesn't "feel" right. My thinking is a that a misconfiguration would put data at greater risk do to close contact. In reality I don't think it matters, but if I were setting up a server, I'd keep my firewall separate.
 

lockmac

Senior member
Dec 5, 2004
603
0
0
Yeh i know what you mean. It really does feel a bit "too close" to the internet. I like the idea of having a network that is really unknown to the outside world, where a web server could be on any one of those servers. I spose if someone is smart enough to get past your firewall though, they are going to get into your web server no matter what
 

seepy83

Platinum Member
Nov 12, 2003
2,132
3
71
Originally posted by: lockmac
Hi their. I am just wandering, is it bad practice to have a firewall installed on, say a web server?

Or should I have separate firewall server, and then a separate web server?

If so, why?

Thanking you guys!

The best answer is that, from a security perspective, you should have both. This would be part of a Defense in Depth strategy.

You should absolutely have a firewall at your network perimeter...this is a minimum to protect any network.

After that, if you are looking to improve your security posture, then deploying software-based firewalls on your hosts is one of the additional steps you can take. This would help protect your server from potential malicious activity on your local network.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
(I am assuming you mean a network firewall, not just a host firewall)

If the webserver gets compromised your firewall is toast. It's generally easier to compromise a webserver than a firewall. Run them on separate machines.

Consider running a software/host firewall on the webserver though. Limiting access to extra ports (like SSH/RDP) is definitely a good idea. And if this is a work setup, you've already got your webserver segmented away from your workstations, so the firewall doing that could easily take over that role...

Just remember a firewall isn't fool proof. They can be easy to configure incorrectly, and often times it's the stuff you have to let through for the server to be useful (ie. web traffic to a webserver) that is the most worrying.
 

Crusty

Lifer
Sep 30, 2001
12,684
2
81
I always run firewalls on servers as well firewalling the network itself. Can never have too many firewalls IMO
 

lockmac

Senior member
Dec 5, 2004
603
0
0
Thanks guys. Exactly the responses I was after. Just wanted to double check. Cheers