Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

An anonymous reader writes: I do some contract work on the side, and am helping a client set up a new point-of-sale system. For the time being, it's pretty simple: selling products, keeping track of employee time, managing inventory and the like. However, it requires a small network because there are two clients, and one of the clients feeds off of a small SQL Express database from the first. During the setup, the vendor disabled the local firewall, and in a number of emails back and forth since (with me getting more and more aggravated) they went from suggesting that there's no need for a firewall, to outright telling me that's just how they do it and the contract dictates that's how we need to run it. This isn't a tremendous deal today, but with how things are going, odds are there will be e-Commerce worked into it, and probably credit card transactions... which worries the bejesus out of me.

So my question to the Slashdot masses: is this common? In my admittedly limited networking experience, it's been drilled into my head fairly well that not running a firewall is lazy (if not simply negligent), and to open the appropriate ports and call it a day. However, I've seen forum posts here and there with people admitting they run their clients without firewalls, believing that the firewall on their incoming internet connection is good enough, and that their client security will pick up the pieces. I'm curious how many real professionals do this, or if the forum posts I'm seeing (along with the vendor in question) are just a bunch of clowns.

It Depends

[MightyMartian]

I've set up networks where the server infrastructure itself is on its own segment, so there's no need for firewalls between the servers themselves, but the whole subnet is firewalled by a border router.

A lot depends on how tightly you can lock down a server. On my *nix boxes, I tend to only run daemons with listening ports to the extent absolutely necessary. I have a LAMP server that basically has ports 22, 80 and 443 open, and everything else either shut down or set to listen only on 127.0.0.1. Do I really need to configure iptables?

Re:It Depends

[bleh-of-the-huns]

I disagree. The border is just one aspect, and your typical threats tend to be the result of intentional stupidity (employee systems), or internal maliciousness (soon to be ex employee). A border firewall will not help in this particular case. Additionally, depending on the users access, no firewall may help. My preference, is typically to setup every server with a default deny, permit IPSEC traffic only to and from the support components on the internal network. Then obviously open the business requirements to provide a server. Example, a Web server that connects to a DB and image processing server, port 80/443 open from external to DMZ web server (DMZ and Application zones are separate), all other incoming ports from external are blocked, your border router can cover this. Internally, default deny to everything, permit IPSEC, between Web Server, DB and Image processing server, as well as terminal/jump servers. Tunnel all communications over IPSEC between the servers. In that way, man in the middle attacks become almost impossible, there is no sniffing traffic if a user manages to get local segment access, If the system is compromised in some way (SQL injection, etc, assuming the services are not running as administrator), the servers cannot be used as a jump point to other servers and components in the network, and vice versa.... Call me paranoid.. but that is how I do things. Also, there is no additional cost (except system overhead, and that can be compensated for by crypto cards, or the new Intel AES CPU instruction sets on their current gen Xeons, and I am sure other procs) to running IPSec, it has been included on every Windows server since 2003, and for Unix, Raccoon is free and works just fine.

You are doing it wrong.

[Zero__Kelvin]

I think you are pretty confused. If you need to use enterprise level tools you use enterprise level hardware and network configurations. This means that, if you are going to use it you have a separate NIC for each node and an "Oracle Only" subnet. If you don't / can't do that, you are most likely using a tool for which there is no actual need. In other words, you're doing it wrong. Even in this case, you should certainly be blocking the unneeded ports in the 0 - 1000 range.