John P wrote:
One benefit of an external firewall is to restrict outbound traffic. Some exploits attempt to make outbound connections so having the control on a separate device will prevent these portions of the attack from working. If this control is implemented on the server itself it could be circumvented when the server is compromised.However in this setup, how much extra protection can an external firewall give? The machines have to have open ports portforwarded through any firewall (80/25/etc) and I assume would remain exploitable to buffer overflows, bug exploits etc. I could restrict access to the other open system ports and services by turning them off, using ipchains/ipfilter and hosts.deny etc. DoS situations would be difficult to protect against even with an external firewall.What extra security will an external firewall actually provide? I suppose other nice features like VPN, etc, but what else? It's quite a busy site, so could ipfilter generate quite a lot of load, which could be shifted onto a dedicated firewall?
-paul