|Is a hardware firewall necessary for colocated servers?|
Is a hardware firewall necessary for colocated servers, or will Shorewall (
Currently our colocated servers are behind a hardware firewall which is heavily locked down. I'm thinking of moving elsewhere, and the new hosting firm (a large and well-regarded on as far as I can tell from research so far) say they can't provide the same level of protection as our current setup. They can rent us a firewall of the sort which would be ok for an office DSL connection, but not suitable for busy servers, and they tell me I can of course purchase my own and colocate it with them.
Having looked into this, Barracuda Website Firewall Model 360 seems about right for our needs. However it's pretty expensive. It's not just the cost of the hardware (which is plenty in itself) but also the ongoing software updates, which are obviously necessary, and the cost of initial setup and commissioning - also pretty well mandatory, as no-one here has a clue how to set up one of these things, and a configuration error, such as for example blocking all spiders for example, would be somewhat disastrous.
Although I'd hate to share our SQL data with someone I don't know, and who quite possibly does not have good intent, there's nothing on the servers which could be used for immediate gain, such as card numbers or bank details. However, the servers being 'up' is vital to the business as revenue would dry up if they weren't.
I'd be grateful if anyone with insight on this subject could give me a few clues to help me decide whether to write the big cheque, or go with shorewall (or something similar) instead.
The question you haven't answered is if your server is windows or linux. Most windows boxes sit behind a hardware firewall. Many/most linux boxes don't sit behind a firewall - firewalling is built right into linux. My webserver isn't behind a hardware firewall, it's inherent right in the server OS.
In fact - don't do this at home - you can create a firewall by installing linux on a spare computer and setting it up to moniter and guard the traffic.
So if you're running linux, go find yourself a linux consultant to lock down your box. A couple three hours and you should be fine - if not better than most hardware firewalls.
I've used cisco/sonicwall/watchguard firewalls with success. A key issue is throughput, use of IPsec of VPN, and other features. I only know barracuda for their spam appliances.
Also, if you are moving to a dedicated server provider, check around. I work with dozens of them and some do provide robust firewall solutions on a turn key basis.
Another consideration between the hardware/software question is that with vendors like cisco/watchguard/sonicwall you get support. This could be critical if that firewall goes on the fritz and you have to send someone to the data center to fix it.
There are many iptables based firewalls out there that run on Linux. Finding the one that best meets your needs will require some research.
I use FreeBSD. I have my box SO locked down that nothing can get in but me.
IPFW is your initial best friend... you can block whole areas (China, Russia) that can cause problems. If you don't need it... or don't want it public, shut it down. Don't EVER run Telnet, and you can move SSH and FTP (if needed, otherwise close it down!) to non-standard ports. Then you can use something like port sentry to close down anyone sniffing at what they think is your telnet port.
My box ONLY has 80 showing to the web, and that is firewalled by IPFW. I would not say I am totally impervious- you still have to keep up on vulnerabilities (like SQL baiting), but I sleep well at night!
Oh, and ALL this is Free on FreeBSD. I would think similar things are avail on other flavors of LINUX.