Slashdot Mirror
Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?
An anonymous reader writes: I do some contract work on the side, and am helping a client set up a new point-of-sale system. For the time being, it's pretty simple: selling products, keeping track of employee time, managing inventory and the like. However, it requires a small network because there are two clients, and one of the clients feeds off of a small SQL Express database from the first. During the setup, the vendor disabled the local firewall, and in a number of emails back and forth since (with me getting more and more aggravated) they went from suggesting that there's no need for a firewall, to outright telling me that's just how they do it and the contract dictates that's how we need to run it. This isn't a tremendous deal today, but with how things are going, odds are there will be e-Commerce worked into it, and probably credit card transactions... which worries the bejesus out of me.
So my question to the Slashdot masses: is this common? In my admittedly limited networking experience, it's been drilled into my head fairly well that not running a firewall is lazy (if not simply negligent), and to open the appropriate ports and call it a day. However, I've seen forum posts here and there with people admitting they run their clients without firewalls, believing that the firewall on their incoming internet connection is good enough, and that their client security will pick up the pieces. I'm curious how many real professionals do this, or if the forum posts I'm seeing (along with the vendor in question) are just a bunch of clowns.
So my question to the Slashdot masses: is this common? In my admittedly limited networking experience, it's been drilled into my head fairly well that not running a firewall is lazy (if not simply negligent), and to open the appropriate ports and call it a day. However, I've seen forum posts here and there with people admitting they run their clients without firewalls, believing that the firewall on their incoming internet connection is good enough, and that their client security will pick up the pieces. I'm curious how many real professionals do this, or if the forum posts I'm seeing (along with the vendor in question) are just a bunch of clowns.
Everything is Fine.
Is stupidity common? Yes. Yes it is.
In my experience, the stupid people tend to get fired eventually. But the mess they leave behind can be tremendous.
Not just because plenty of things are run by stupid people, but also because otherwise smart people can have pretty damned important blind spots. And other IT people have been talked out of it by their clients just like you're letting happen.
Whether it's common or not has no bearing on whether it's a good idea.
The only question you need to ask them is weather they're willing to accept the quantified risks from having exposed systems.
It sounds a little like you're trying to just fling a firewall at the system and improve some sort of objective security metric.
What threats are you risks to mitigate with the firewall? What threats will it help guard against?
They don't come for free, and configuring them don't come for free.
I've set up networks where the server infrastructure itself is on its own segment, so there's no need for firewalls between the servers themselves, but the whole subnet is firewalled by a border router.
A lot depends on how tightly you can lock down a server. On my *nix boxes, I tend to only run daemons with listening ports to the extent absolutely necessary. I have a LAMP server that basically has ports 22, 80 and 443 open, and everything else either shut down or set to listen only on 127.0.0.1. Do I really need to configure iptables?
The world's burning. Moped Jesus spotted on I50. Details at 11.
As soon as they start handling credit card transactions, they will need to conform with PCI standards, which will mandate much much higher levels of protections. There are significant fines associated with non-compliance so you may want to forward them over information about this.
The key is to only ever run the services that are absolutely needed, carefully configure these and keep them up to date. If you follow that advice a firewall is an added level of security but not necessarily needed.
The problem with this battle is that you're a contract worker. So if reasoning/persuasion doesn't work, then you're only options are to end the contract, or fulfill your obligation.
Keep documentation that shows that you brought up the problem, and were rejected. Bake in language on subsequent contracts that give you an out under these types of scenarios, and move on.
If someone is unwilling to listen to reason, is in a position of power, and there's no laws that they are breaking, then that pretty much gives you all of the information you need to know about your options! Just learn to stop worrying and love the bomb.
If your database is in a trusted network zone, it's fine.
If you have a bunch of assets outside the corporate firewall, you're doing it wrong. These belong behind a DMZ firewall, blocking any ports not strictly necessary, possibly with PNAT and coalescence (i.e. an FTP, Web, and Mail server, natted to the same address, ports 80, 443, 25, 21, and FTP PASV going to different addresses behind that).
Within that DMZ, servers provide whatever services they're going to. MySQL on port 3306 will provide MySQL on port 3306; if you add a local firewall, you will have a firewall that blocks all non-listening ports and leaves port 3306 open, so no difference. If you're worried about ssh, use an IP console card (DRAC, etc.) on a separate subnet, or put the database servers behind another firewall. It is, in fact, common to create trust zones for front-end, application, and database, such that i.e. your Web servers connect through WSGI to a CherryPy application, which connects back to a Database, through a firewall in each step. You can do this with vlans and broken-down subnets, one switch, and one firewall.
You have to consider everything when you design secure network architecture.
Support my political activism on Patreon.
Or bandwidth. Or visitors. Or intern-connections. There's a lot of room for serious damage from a lack of security, and not all of it is data theft.
People using your server as a spambot is bad.
People infecting your sites visitors with malware is bad.
People jumping to a different, more secure system from your server is bad.
We tend to notice the data theft issues most these days, because a lot of companies keep a lot of sensitive data, so a Target credit card hijack is tremendously bad and newsworthy.
But that doesn't mean other classes of security risk don't exist.
Sorry to barge in like this.
Oracle does not have issues with firewall. A proper firewall will allow a specific program to monitor a range of ports.
Ex.
Open port 80 system wide.
Open ports 40000-65000 for sqlserver.exe TCP and UDP.
You may have multiple listener processes, it takes a few moments and some research but in the end, you ensure the door is opened only for the ports and processes you want. This blocks the door for ports and processes that may be vulnerable thru bugs.
It's not perfect, nothing is. But it's better than staying opened.
Will you get hit if you don't, not necessarily but what if you do??? How much is your data worth? Restore time and data lost since that last restorable backup? What? You don't have a backup or have not tested your restore recently... (excuse me while I rotfl).
Sorry for the nasty punts, but let's face it, the day you get hit. I will say the same thing as today. Rather you hear it today, it's cheaper for you and if I helped in anyway, I'll be glad to not laugh later. I do go see humour shows, I don't need this for entertainment.
Good luck, and best of chances either way you go.
There are lots of different risks that must be considered when securing a network or system. In my many years of securiy architecture, I've found it make the most sense to create a risk assessment.
Threat x Vulnerability x Impact = Risk
Once you have defined the risks, you can define the best protection method to reduce each risk.
Application firewalls may not be the best protection method depending on the rest of your network security controls. If you have strong network firewalls and every device that connects to the network must be authenticated (and scanned for viruses) before its given an IP address, an application firewall may not reduce much risk. If it doesn't reduce much risk, it may not be necessary.
In business, security is like insurance. You have to justify how much to spend, based on how it will protect us if something bad happens. Further, you have to make sure that whatever the security control is, it doesn't interfere with what the business needs to function. If the database cannot function with a firewall, a firewall is not the best protection method and other options should be considered (Network Intrusion Prevention systems, Data Protection [encryption/tokenization/hashing], Anti-Virus, File Integrity Monitoring, etc). There are many tools available to security professionals today. A firewall is a good tool, but not the only tool... depending on the situation, it may not even be the right tool.
Get a life, not a lifestyle. - Hikem Bey
After 4 weeks of oracle training, the advice from the oracle trainer was that oracle simply doesn't play well with firewalls. I'm not a DBA (thankfully), but that's from their actual instruction.
Exactly. Too many people (both businesses and home users) say "Well, I don't have anything that 'those hackers' would want so why bother with protections?" The thing is, though, you DO have something they want. At the very least, a home user has bandwidth. If a malware author hijacks a computer, he can use it to pump out tons of spam. The user might notice an annoying slowdown but otherwise wouldn't know what was up. In the case of businesses, infecting your customers with malware (due to being hacked) or your site slowing down to a crawl (because it is a spam bot and is spending precious resources spamming people) is a sure method to lose customers. I'd wager that the money "gained" by not doing a proper firewall network is more than lost by the "lost sales" of customers fleeing after the servers have been hacked.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Don't be a muppet. Limit the spread of malware on your network as much as possible by only opening things that need to be open, to places they need to be open to. There is ZERO reason, for example (plucked at random to illustrate a point), for your end user PC network being able to directly connect to SMB on your SQL server, for example.
Yes, in theory they need credentials to do that. But why leave it open to anyone who obtains credentials when you can be more pro-active about defending the box?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
they went from suggesting that there's no need for a firewall, to outright telling me that's just how they do it and the contract dictates that's how we need to run it. This isn't a tremendous deal today, but with how things are going, odds are there will be e-Commerce worked into it, and probably credit card transactions... which worries the bejesus out of me.
I suggest you relegate the 'is this common' question to a discussion after hours over a beer.
Your real issue is security. I would want to schedule 2 different meetings, preferably with everyone attending in person. The first is a prep meeting with your client and their legal counsel to discuss your concerns, review the contract language that is being referenced by the vendor, and what liability the vendor has if the machine is compromised due to the vendor required there be no software firewall.
The second meeting would be with your client, their legal counsel, and the vendor.
FYI, oracle requires ports from 1024-65535 to be open for any client. 1521 is only used for initial setup dialog. This also forks a new oracle process, which gets its own socket. Afterwards, as stated above, this information is sent back to the client which reconnects on the new socket. This oracle doc explains what I am talking about: https://asktom.oracle.com/pls/...
How about this: If you find yourself needing a firewall, your system design has already failed. Every single system should assume actively hostile environment.
I can only repeat your original subject.
I think you are pretty confused. If you need to use enterprise level tools you use enterprise level hardware and network configurations. This means that, if you are going to use it you have a separate NIC for each node and an "Oracle Only" subnet. If you don't / can't do that, you are most likely using a tool for which there is no actual need. In other words, you're doing it wrong. Even in this case, you should certainly be blocking the unneeded ports in the 0 - 1000 range.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Application support always says to turn off everything that might possibly interfere with their precious application. They would have you shut down the operating system if they didn't need it. Application support lives in a fairy land where the only thing they have to worry about is their application. They don't have to fix anything if the application isn't broken. They have no interest in anything else. A good vendor will program their application to work with the system standards. Most ISVs are not good vendors.
As a system or network admin, you have to protect the application from the rest of the network and protect the rest of the network from the application and protect everything from the users and the Internet. Part of doing that is firewalling the crap out of your core network, and if you can't do that you should be looking at adding more VLANs and controlling traffic that way.
The road to tyranny has always been paved with claims of necessity.