[sclug] Bugzilla server

Tue Jan 17 12:03:25 UTC 2006

On Tue, 17 Jan 2006, Neil Owens wrote:

> I've been tasked with getting an internet facing Bigzilla server on Redhat
> up and running pronto(ish).  I've not put a Linux server on the web before
> (I generally work with software from the Dark Side :-) and was wondering if
> the server *needs* to be behind a firewall or not.

Ideally all Internet hosts *should* really be able to defend *themselves*,
but back in the real world some independent device serving the role of a
firewall is a sensible precaution providing a redundant layer of security
(i.e. if one layer fails, the second and subsequent hopefully won't be).

Note that a firewall is a generic term, and doesn't necessarily imply some
expensive piece of 'enterprise' software (I'm looking at you, FireWall-1).

In this particular case, you have two potential avenues of attack from
Internet hosts:

i) Attacks against services that probably shouldn't be running, and
certainly shouldn't be exposed to the Internet at large - cups, sunrpc,
sshd, telnetd, ftpd etc. If you disable these services on the host (part of
a process known as 'hardening'), then they cannot be exploited, and so no
firewall is necessary to protect them. However, due to administrative
oversight, they may become accidentally re-enabled at some point in the
future, and an IP firewall (be it a Linux box enforcing an security policy
using iptables/netfilter, a BSD box doing the same using ipf, a Linux-based
firewall distribution such as Astaro, or an enterprise product like
FireWall-1) is a useful layer to add. Note that all the solutions mentioned
essentially perform the same job here, so pick the one you're most
comfortable administering within the bounds of your budget.

ii) Attacks against the exposed service - i.e. Bugzilla/Apache. None of the
above mentioned products really do much in the way of looking for attacks
targeted at Bugzilla or Apache. Note, though, that FireWall-1 does feature
'Application Intelligence' which may provide some defense against this class
of attacks. I believe this is an extra cost optional license feature (but
it's been a few years since I've had anything to do with FW-1), and I'm not
at all clear on the specific attacks it mitigates. Looking at
<http://www.checkpoint.com/appint/appint_application_layer.html>, I don't
see anything that a) applies to Apache rather than IIS and b) cannot be
mitigated using a 'reverse proxy' implemented using Squid, for example
(<http://www.sans.org/rr/whitepapers/webservers/302.php>). You
could also look into Intrusion Prevention Systems (IPS), but you may find
that they are too error-prone to be useful. I wouldn't spend any money on an
IPS until you've had a play with snort-inline to see whether it's useful in
your environment.

> And if I really do need a firewall, any advice on whether I'd be better off
> with a 'free' software based one (IPCop, Smoothwall) or really splash out on
> something like Firewall-1

Aside from the above, the only other thing an expensive FireWall solution
buys you is CYA - "Cover Yer Arse"; depending on your management, you may
find it politically useful to be able to say "well, I recommended we buy
widely-recognised market leading product X" - both in the event of a
compromise when you've been forced on budget grounds to use something free
or cheap, and in the event of a compromise that managed to get through a
"best of breed" firewall (even if you and I know it isn't really anything
special :).

> Any thoughts appreciated.
> Neil

HTH,
Alex.
-- 
Alex Butcher      Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK                      Need reliable and secure network systems?
PGP/GnuPG ID:0x5010dbff                         <http://www.assursys.com/>