Tue 31 Oct 2006
Security is a chain only as strong as its weakest link.
When placing servers on the internet, there are two obvious ways to secure it.
- Place a tightly-secured machine directly on the internet.
- Place a possibly-secured machine behind a firewall connected to the internet and forward one or more ports from the firewall to the server.
Whis is better?
To begin with, that’s a loaded question. Which is “better” depends on your criteria for “better” and varies from person to person and task to task. My preference is #1 (direct), though many people disagree with me. Let me explain why.
- Option #1 is more reliable. There is only one piece of hardware and no extra network interconnection. Some argue that the firewall can be a small embedded-system box that is extremely reliable and that the network in between is just a cable, but the fact remains that it cannot be more reliable than the single machine.
- Option #1 is easier to configure. There is no need to deal with NAT, port forwarding, multiple IP addresses, etc., etc.
- Option #1 is cheaper. There is less hardware and it uses less space. If you’re co-locating this server in an ISP’s rack then this is even more important. Plus, rack-mount firewalls are not the same as the cheap, small, home versions.
- Option #1 is more secure! This is the point that I get in to arguments about, so let me elaborate…
The biggest argument for the multiple-box solution is that your simple, no-nonsense firewall can completely block all traffic except that you really want going to your server. It means that when new security flaws are found in Windoze, you don’t worry about them because it’s already blocked by your firewall. True, but equally true for the single-machine solution. A single, standalone machine should have only those services running that you are actually using. As such, it doesn’t matter that 13 new execute-remote-code exploits have been found during the last week in Windows XP file sharing because you don’t have it enabled anyway! In fact, on any decently administered server, the biggest security hole is in the services you have open on purpose because those are the services being provided.
And this leads me to why I say that a single stand-alone server is actually more secure than a server behind a proper firewall… Trust
As soon as Option #2 is in place and a server is secured behind a firewall, people and administrators tend to trust that server because it’s protected. That means that it’s often not as tightly secured in itself and sometimes has access to other hosts that it really doesn’t need just because it’s convenient. If you put two servers behind the same firewall, each has unrestricted (by the network) access to the other. And if you put the server inside the corporate firewall, then there is no protection between that server and every other machine on the network.
Why is that important? Remember, this server is doing something for the outside. That means that some traffic is being intentionally forwarded from the “Internet At Large” to it. What happens when there is a security hole in the service being provided? Yes, that machine is compromised, but it’s worse than that. Suddenly, the exploited machine becomes a gateway for an attacker to access everything behind the firewall. That is a Bad Thing™! You had a nice big, strong, chain of security with one weaker link that was the service being provided. That link is broken and your chain disintegrates. With Option #1, yes, the machine is still compromised, but because it’s a machine on the internet, it’s not trusted any more than any other machine on the internet. It cannot be used as a stepping stone to more sensitive information within your network. That is why it’s more secure.
There is one way I see that Option #2 is “better” and that is flexibility. The firewall can be programmed to do load balancing between multple servers and so forth. If you need that type of thing, then you know what you need. If you don’t but still want to go the server-plus-firewall then you really should have one firewall per server (good luck convincing your bean counters of that), and each machine must still be secured as if it were open to unrestricted attack. And never, ever, ever, ever, ever put that server inside the corporate LAN.