Benefit of having a separate router / FW?

P1x3L

Weaksauce
Joined
Jul 31, 2012
Messages
81
If you want top security and performance - and you have Linux as your host OS - then what's the benefit to having a separate OpenBSD box or enterprise networking gear for Firewall & routing? Say, we have a gigabit internet connection. I'm thinking why not just iptables (UFW) on the host with gigabit directly into it... Less electricity, same security, less latency, anything I'm missing?
Thanks.
 
Sure, but then you're essentially limited to having only a single host be able to utilize the ISP connection. And who only has a single internet-connected device in their home anymore?

OK, technically you could set up the one host to provide routing/NAT for the rest of the location, but then you're reliant on a system that is a multi-purpose end-user system to reliably provide 24/7 connectivity to all other devices. I know I wouldn't trust the typical Windows box to so this (damn thing won't even honor the update/restart window I've set). And with the user constantly interacting directly with the PC/router, it's much easier to compromise the entire network (malware/viruses, ransomware, "Windows Support" calls, etc.)

Also, I prefer the device on the edge of my network to be narrowly-focused on networking/security as possible. A dedicated device, in theory, has a much smaller attack surface than a PC running all sorts of services in support of the user's interactive needs. Also, whenever possible I like to have any systems that have important info/access on them to not be sitting on the edge.

Lastly, I've always preferred simpler, dedicated devices over larger, more integrated ones.
 
Bad idea. That means your host has to be publicly accessible to the entire Internet. Separate box allows for specialized security configurations. Physical separation is always going to be more secure. Separate devices gives more flexibility for changes, and if something goes wrong, you don't have catastrophic failure, just one component.

Basically, if you value security and reliability, get a separate box. If you absolutely must integrate the box, use a VM with physically dedicated Ethernet connection, but it is still a bad bad idea to mix your corporate server with your firewall.
The benefits you are looking for are not that great. A dedicated appliance will not use much electricity - if you need a firewall box that requires any electricity that will make a difference, you absolutely won't be mixing that with your main server.
It is not the same security, as I've briefly mentioned above.
Latency isn't going to be a concern. There will not be any noticeable difference with the additional network hop to Internet traffic. Besides, the overhead you put on your main server of adding firewall capabilities will cause as much if not more reduction in performance.

Now, if you are talking about a single desktop computer connecting to the Internet, that's a different story. Still better to have a separate firewall appliance, but not as critical.
 
Ideally you would use both. Network protection does not preclude host protection. A layered defense is best as nothing is full proof. These days you need to more worried about compromised internal hosts vs external attacks on servers. Trying to protect a server from external attacks while not inspecting your internal traffic is short ticket to data loss or theft. Layered protection is your friend. Also, iptables is woefully lacking as your only defense.
 
Despite what the Linux fanboys often claim, there is malware and exploits that target Linux type OSs. And even the best administrator can have an "Oh Crap" moment when they click on the wrong icon or type in the wrong command. Best if that moment only compromises one of your internal boxes instead of your edge security device.

Once properly configured, an edge device rarely needs much attention. An occasional update or rule tweak. So a far less chance of the oh crap moment. And you can usually configure the logs to write to an internal volume that is part of your backup process in case you need to track where a breech happened.
 
Once properly configured, an edge device rarely needs much attention.
That's a solid "kinda". For home use, if you have nothing exposed to the world, then I can sorta understand that perspective. You'd still be missing out on critical updates if you don't give it much attention, but the damage from the internet would largely be mitigated. The problem is, of course, that most attacks are going to be from the internal compromised hosts, but I guess at that point a vulnerable FW isn't really a high priority.

For anything else, however, edge devices absolutely need constant love and attention. You need to keep up on the patches, keep an eye on the logs, modify the config to react to various threats...ect...ect...It can be a daily activity for even a moderately small business.
 
Ideally you would use both. Network protection does not preclude host protection. A layered defense is best as nothing is full proof. These days you need to more worried about compromised internal hosts vs external attacks on servers. Trying to protect a server from external attacks while not inspecting your internal traffic is short ticket to data loss or theft. Layered protection is your friend. Also, iptables is woefully lacking as your only defense.

Can you list the stuff you recommend using in addition to iptables?
 
Hard/impossible to suggest a product without knowing exactly what your trying to protect. That said, I think you missed my point entirely.

I thought you were implying the iptables wasn't enough for any case... So in whatever hypothetical, I thought you'd list out the areas not covered.
 
Despite what the Linux fanboys often claim, there is malware and exploits that target Linux type OSs. And even the best administrator can have an "Oh Crap" moment when they click on the wrong icon or type in the wrong command. Best if that moment only compromises one of your internal boxes instead of your edge security device.

Once properly configured, an edge device rarely needs much attention. An occasional update or rule tweak. So a far less chance of the oh crap moment. And you can usually configure the logs to write to an internal volume that is part of your backup process in case you need to track where a breech happened.

yup, I've had Monero miner malware infect an outdated CentOS machine on my network.
 
This question is akin to asking a question similar to "I have a bicycle, but I've seen other bicycles out there, do I need to get another bike?" The lazy people will say, nope you have a bike, you're good. The bad salesman will say of course, and sell you most expensive thing he can. The expert will say, well let's look at your bike...what can it do?. Now can you tell me what you want to do with your bike? If you want to ride in the hills, but currently have a street bike...you'll need another bike, and vice versa.

Point is without evaluating what you want and what you have you're not going to be in the best place. Can you take a 10yr old street bike down a mountain trail? Sure....it could work. But it's not going to be as efficient, and most likely will break much sooner than if you had a proper mountain bike
 
Back
Top