That depends on your company's policy. I've worked for companies that insisted a local firewall must always be enabled, and I've worked for companies that don't.If there is perimeter and internal firewalls in DMZ, should the firewalls on the servers still be enabled? Such as web servers and database servers.
I agree with your opinion.It is really a matter of company policy. IMHO if there is a proper security policy on the firewalls then the systems should not be running any type of local firewall. Stateful inspection always adds some extra burden to a server.
...or within any LAN that is not explicitly isolated from the LAN that has the compromised system...If another box is penetrated within the same LAN, then having firewalls on other servers/workstations potentially limits propagation.
You typically poke a lot of holes in a local firewall or else the server is pretty much useless. So a firewall isn't going to protect you here, it just adds to the complexity without adding much security.Best practices would dictate that every server have a firewall. Not doing this gives you a shell defense with no protection against an internal threat (which is the most likely threat, actually).
You don't if you are doing it right, and if you have designed for security. You will open only those ports you need for the server to function. And the server functionality will be limited and/or isolated depending upon its function. Thus, the vulnerability of the server is limited to vulnerabilities of the software that uses the open ports. And, of course, you keep your server patched up-to-date, naturally. You do, don't you?You typically poke a lot of holes in a local firewall or else the server is pretty much useless. So a firewall isn't going to protect you here, it just adds to the complexity without adding much security.
I only enable services that are needed for the server to function. Services open ports. This isn't Windows where there's a million and one (unrelated) services required to be running.You will open only those ports you need for the server to function.
And how is your dynamic website supposed to get its data if it's not allowed access to the database? If it's allowed access to the database you're already opening yourself up for SQL injections. A firewall, local or otherwise, isn't going to change that. Neither is splitting the database servers off on their own VLAN. The website needs access to the database and you'll have to deal with that, i.e. poke holes in firewalls.and the vlan the web server is on is not allowed to talk to the vlan the database server is on
That seems to be a common poor design/build approach. Web site based apps pulling data from the main database should be managed. Typically web site data volumes are low and the design/build can control that. Larger/broader data accessing should be internal - made on the same LAN as the database, isolated from 'outside'. Otherwise If a web facing app can pull the entire database then sooner or later it could be pulled externally by someone not intended to have such extensive data content.And how is your dynamic website supposed to get its data if it's not allowed access to the database?
Well, it could be worse. It could use MySQL's root account for this. Wouldn't be the first web application. But never on my watch, the first developer that suggest I put that into production gets free flying lessons from the top floor of the buildingOtherwise If a web facing app can pull the entire database then sooner or later it could be pulled externally by someone not intended to have such extensive data content.
Then you are artificially limiting the discussion. OP asked whether firewalls on servers should be enabled. He did not restrict it to just *nix servers. And even so, those services needed for the server to work are limited by the number of functions the server handles. Generally, from the perspective of security, the server should handle fewer functions in order to limit risk. How practical this is...just depends. There is always a compromise involved, but the more critical the data is the less you should be willing to compromise.This isn't Windows where there's a million and one (unrelated) services required to be running.
Well, that depends on the data that is in the database and how you have distributed and segregated your data to enhance security, now doesn't it. And, to the extent you must allow web access to sensitive data, you still gain considerably by having that database on a different server, on a different vlan (with vlan-vlan access only for a small number of specified ports and to/from specified machines). If it shares the server that is the webhost, and I crack that webhost, then I have gained full access to that data. If the data is on a different server than the webhost, and I crack the webhost, I may have access to a port that has access to the data but I still have to deal with the security protocols on that separate server; I do not have full access to that data and (depending on the security protocols between the two boxes) I might not have ANY access until I take further steps. Since it is on a different vlan, has a firewall, and my access is controlled by the router that controls the vlans, I can't just start scanning it to figure out how to break into it.And how is your dynamic website supposed to get its data if it's not allowed access to the database? If it's allowed access to the database you're already opening yourself up for SQL injections. A firewall, local or otherwise, isn't going to change that. Neither is splitting the database servers off on their own VLAN. The website needs access to the database and you'll have to deal with that, i.e. poke holes in firewalls.
I fully agree with that. I just don't think local firewalls add anything and may actually give you a false sense of security. There are a lot of 'manager' type people out there that think a 'firewall' is some magical piece of kit that protects them from the bad guys.Therefore, you design your systems for security. Segregation and separation.
Quite obviously, lots of manager type people simply don't understand the issues. If they did, then we wouldn't be seeing what we are seeing in the world today.I fully agree with that. I just don't think local firewalls add anything and may actually give you a false sense of security. There are a lot of 'manager' type people out there that think a 'firewall' is some magical piece of kit that protects them from the bad guys.