securing my webserver

[mjscrmpm]

hello all,

my webserver has 2 NICS, one for the WAN and one for the LAN. i need to implement a hardware firewall solution for this webserver. this box i'm assuming will sit between my T1 router and my WAN card. is the Cisco Pix a good device for this usage? would i simply block all incoming traffic except for 80 and 8080? (443 if we decide to go SSL too)

i'm *not smart* about webservers and firewalling, etc. i was against bringing this project in house, so no soapboxing please ;-)

thanks for the help!

 

[swj38]

/me dusts of soapbox

For just protecting one box a PIX seems like overkill, to use a Pix in the setup you've described I'd put it between the whole network and the T1 router and have the webserver coming of a seperate interface on the Pix in a DMZ. (Sorry that is a bit soapboxy)

For a hardware solution for just one system you could put CheckPoint Firewall on a dual Nic box and put it between the WAN card and the router. If you've got the knowledge there are a good few Linux firewalls you could use instead: Mandrake has Multi network firewall (with a GUI if you like that sort of thing). Most linux systems have netfilter on it which can be used. Actually if you know how to do a Linux firewall you don't need me to tell you this

As soapboxy and rambling as it was I hope this helps.

 

[mjscrmpm]

overkill is not a concern =)

they are expecting to pay up to $1000 for whichever box is the best solution. i don't make money off hardware so don't suggest a cheap box and pocket the rest ;-)

i like that Pix is an OS-inspecific system, therefore threats aimed at particular OS' won't affect it.

 

[baddos]

PIX 506e might fall in that price range. I would suggest you use it for your entire LAN and not just the webserver.

Sample Diagram...

T1 Router
|
PIX
|
Inside LAN
| | |
PC1 PC2 Webserver

Do PAT for all PCs on your PIX, and a NAT translation for your webserver. You'll only need one public IP, and you can do it all with the PIX.