Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tear Down the Firewall

Posted by timothy on from the tripartate dept.

lousyd writes "'What's the best firewall for servers?' asked one Slashdot poster. 'Give up the firewall' answers Security Pipeline columnist Stuart Berman. Through creatively separating server functions into different, isolated servers, and assigning them to a three tiered system of security levels, his company has almost completely eliminated the need for (and headache of) network firewalls. "Taking that crutch away has forced us to rethink our security model," Berman says. The cost of the added servers is greatly minimized by making them virtual servers on the same machine, using Xen. With the new security-enhanced XenSE, this might become easier and more possible. What has you chained to your firewall?"

2 of 395 comments (clear)

  1. Re:Of course but by NeoThermic · · Score: 5, Informative

    And for windows:

    netstat -v -o -n -b -a

    (you can ommit -v for a quicker display)

    NeoThermic

    --
    Use my link above, or to view my server, NeoThermic.com
  2. He's only giving up the border firewall... by stefanlasiewski · · Score: 5, Informative

    It's a rather sensationalist headline. He's not really ditching his firewall, he's replacing the one border firewall with multiple firewalls in the internal network, and is keeping the production environment isolated from the non-production (Office & Development) networks.

    He removed the firewall between the Production Environment and the Internel, and is replacing it with several firewalls on the internal network. I count 4 firewalls-- One between the Webservers & Application server, a second firewall between the Application server and DB server, a third firewall between the production environment and non-production environments; and he discusses using ACLs to isolate subnets -- that's conceptually the same thing as a firewall.

    But that's not a very new concept, and even with his plan, it still seems like you'd be more secure if you have an external firewall on the added network.

    What's the harm in adding one more firewall and only allowing traffic on the HTTP port, HTTPS port and possibly VPN? It's cheap insurance just in case someone made a mistake and left some services running on one of the machines.

    --
    "Can of worms? The can is open... the worms are everywhere."