firewall / web server on the one pc- bad practice?

[lockmac]

Hi their. I am just wandering, is it bad practice to have a firewall installed on, say a web server?

Or should I have separate firewall server, and then a separate web server?

If so, why?

Thanking you guys!

 

[lockmac]

bumpp

 

[lxskllr]

Since nobody educated has answered, I'll throw in my 2¢ :^D I don't think it would be bad to run a firewall on your web server, but I don't like the idea, as it doesn't "feel" right. My thinking is a that a misconfiguration would put data at greater risk do to close contact. In reality I don't think it matters, but if I were setting up a server, I'd keep my firewall separate.

 

[lockmac]

Yeh i know what you mean. It really does feel a bit "too close" to the internet. I like the idea of having a network that is really unknown to the outside world, where a web server could be on any one of those servers. I spose if someone is smart enough to get past your firewall though, they are going to get into your web server no matter what

 

[seepy83]

Originally posted by: lockmac
Hi their. I am just wandering, is it bad practice to have a firewall installed on, say a web server?

Or should I have separate firewall server, and then a separate web server?

If so, why?

Thanking you guys!

The best answer is that, from a security perspective, you should have both. This would be part of a Defense in Depth strategy.

You should absolutely have a firewall at your network perimeter...this is a minimum to protect any network.

After that, if you are looking to improve your security posture, then deploying software-based firewalls on your hosts is one of the additional steps you can take. This would help protect your server from potential malicious activity on your local network.

 

[n0cmonkey]

(I am assuming you mean a network firewall, not just a host firewall)

If the webserver gets compromised your firewall is toast. It's generally easier to compromise a webserver than a firewall. Run them on separate machines.

Consider running a software/host firewall on the webserver though. Limiting access to extra ports (like SSH/RDP) is definitely a good idea. And if this is a work setup, you've already got your webserver segmented away from your workstations, so the firewall doing that could easily take over that role...

Just remember a firewall isn't fool proof. They can be easy to configure incorrectly, and often times it's the stuff you have to let through for the server to be useful (ie. web traffic to a webserver) that is the most worrying.

 

[Crusty]

I always run firewalls on servers as well firewalling the network itself. Can never have too many firewalls IMO

 

[lockmac]

Thanks guys. Exactly the responses I was after. Just wanted to double check. Cheers