Thinking about hosting my own web server. Is there any reason that I shouldn't?

DevilWAH

dustinmurphy wrote: »

The best you can do is just try. Although to ME, it was too big of a pain to deal with hosting my own server... it was fun figuring out how to set it up. I just wanted to warn you that it's possible that you will not be able to hit it from the outside. After I learned how to admin Exchange, I wanted to setup my own mail server... but alas... it was blocked. It's also possible that they have removed the blocks by now. I haven't tried in a few years. As I said before... use a machine that you can handle being compromised. Do what you can to isolate it from the rest of your network (with most home networking, it's virtually impossible...)... that way if it IS compromised... you don't lose personal information.

From knowing nothing about networking it would take may be an hour to figure out if you network is blocked, and even if it is you will have learnt something use full about networking in the mean time. If you know about networking it takes about 5minites.

simple steps,

open up port 80 on your home fire wall and direct it to one of your PC's. (PC may need port 80 unblocked to with its firewall)
look up a port scanning web site (Online Ping, Traceroute, DNS lookup, WHOIS, Port check, Reverse lookup, Proxy checker, Mail relaying, Bandwidth meter, Network calculator, Network mask calculator, Country by IP, Unit converter) and check to see if it is open.

If its open, like other people have said use it, no ISP will mind as long as you don't abuse the system. IF traffice does start to get high, they don't cut you of over night, they will discuss with you and give you plenty of time to either upgrade to a better service out migrate you site to on-line of other hosting.

Also it is not "virtualy impossible" to make a home network secure, most home routers come with the ability to create a DMZ zone and even if they don't it is quite easy to separate of you server from the rest of your home network. Security of a home network or small office, is much simper than enterprise networks.

jibbajabba

dustinmurphy wrote: »

Most residential ISP's block port 80 and 25 (web/smtp). They can and do block the ports so that you cannot access them from the outside. You also probably have a DHCP address, which means your IP will change, without notice. Using a service like DynDNS, as suggested will work, however sometimes your IP doesn't change for a couple of months. If DynDNS doesn't receive any changes within 30 days, it will suspend your account. (been there, done that). If you're doing it for "free" hosting of a website that will be used by many people... I would NOT recommend it (GoDaddy has hosting for REALLY cheap). If you're doing it for the experience of doing it... be my guest. You can use a different port (i.e. 81), but will have to remember that when accessing it.

As for the attacks from the outside (scans attempting to login), that's normal. As long as you use a good strong password and good security measures, you should be OK. With that said, do not use a computer that has personal information on it. If you do get compromised... it could mean identity theft. Only open needed ports to the box...

I used to try to host my own email and web, but it became too much of a pain... and I ditched it.

For basic web, I wouldn't say you need much... but it depends on the site you're hosting... and how much content, what it's written in, and how many hits you get as to what the hardware requirements are.

ISPs blocking ports must be a US thing .. the only time I had an ISP blocking SMTP for example is with "free" ADSL from a mobile / cell provider, which isn't even proper ADSL or really poor one.

As for attacks, that is correct, it doesn't matter whether you host inside / outside etc, you will always be attached one way or another. The big difference between hosting this at home is simply bandwidth. If it rains into a container, it takes ages to fill up, but if the same amount of rain hits a glass, it is full in no time .. Stupid analogy I know :d

dustinmurphy

DevilWAH wrote: »

Also it is not "virtualy impossible" to make a home network secure, most home routers come with the ability to create a DMZ zone and even if they don't it is quite easy to separate of you server from the rest of your home network. Security of a home network or small office, is much simper than enterprise networks.

I said it was virtually impossible to isolate it from the rest of the network (i.e. a DMZ VLAN or a separate VLAN). Home network DMZ doesn't do the same thing that Business network DMZ does... Home networking DMZ opens all ports to the internet to a single (or multiple, if your router supports this... mine doesn't) IP address on your network, and does not isolate it from the rest of the network (i.e. if they compromise your box, they can reach the rest of the network as well), unlike a Pix or ASA which isolates DMZ and puts it in a different security zone, using ACL's to allow access back to the internal network. If you're comfortable putting your machine open to the world... be my guest.... I'd rather forward needed ports. There are a few home networking firewalls that run similar to a PIX or ASA, but all the ones I have had in my house (sub $100)... the DMZ is just opening all ports to the entire world (I usually put my Xbox360 in the DMZ... since it can't really be hacked).

I usually use MX Lookup Tool - Check your DNS MX Records online - MxToolbox scan tool (just type scan:<ip address>) to check for open ports, however I'm not sure if you don't have anything answering on port 80 (http service) if it will even work. (don't really feel like opening ports, etc to find out myself). If you've secured your router... you could also turn on the remote management for a few minutes and start the scan.

DevilWAH

dustinmurphy wrote: »

I said it was virtually impossible to isolate it from the rest of the network (i.e. a DMZ VLAN or a separate VLAN). Home network DMZ doesn't do the same thing that Business network DMZ does... Home networking DMZ opens all ports to the internet to a single (or multiple, if your router supports this... mine doesn't) IP address on your network, and does not isolate it from the rest of the network (i.e. if they compromise your box, they can reach the rest of the network as well), unlike a Pix or ASA which isolates DMZ and puts it in a different security zone, using ACL's to allow access back to the internal network. If you're comfortable putting your machine open to the world... be my guest.... I'd rather forward needed ports. There are a few home networking firewalls that run similar to a PIX or ASA, but all the ones I have had in my house (sub $100)... the DMZ is just opening all ports to the entire world (I usually put my Xbox360 in the DMZ... since it can't really be hacked).

Having worked on security for Global Finance Banks who poor hundreds of million of dollars in to there networks each year and quite comfortably around the ASA devices. I can assure you it is much easier to split your home network securely than a enterprise network. people are also crazily over the top when they talk about how you will get hacked by opening up a port on your fire wall.

If you can't split the network then just insure all your other devices are set to block incoming connections from the web-server or email server you are running. Its not hard to figure out how to do, and will give you the same security as running it on a separate vlan. The best security solutions are the simple ones, the more complex you make it the more holes you introduce.

If some one takes a little time to learn about network security there is no reason even with a basic home router that you can't safely host applications, with out fear of hackers. Basic security will prevent any "Script Kiddie" attackers, and any real hackers out there hav better things to do than spend weeks finding rare and unknow exploits on a insignifint network among the billions around.

dustinmurphy

DevilWAH wrote: »

Having worked on security for Global Finance Banks who poor hundreds of million of dollars in to there networks each year and quite comfortably around the ASA devices. I can assure you it is much easier to split your home network securely than a enterprise network. people are also crazily over the top when they talk about how you will get hacked by opening up a port on your fire wall.

If you can't split the network then just insure all your other devices are set to block incoming connections from the web-server or email server you are running. Its not hard to figure out how to do, and will give you the same security as running it on a separate vlan. The best security solutions are the simple ones, the more complex you make it the more holes you introduce.

If some one takes a little time to learn about network security there is no reason even with a basic home router that you can't safely host applications, with out fear of hackers. Basic security will prevent any "Script Kiddie" attackers, and any real hackers out there hav better things to do than spend weeks finding rare and unknow exploits on a insignifint network among the billions around.

I will have to disagree with you on the above points. Most home network routers (the sub-$100 one's anyways) do not allow any "splitting" of the network. They use a single VLAN and are not capable of splitting off traffic. Sure, it's possible with the right amount of equipment, but MOST home networks do not have that capability.

Opening ANY port to outside traffic is a "hole" in security.... whether or not that will result in being hacked... probably not likely, however any port open to the outside is a potential hacking point. We make necessary security concessions by allowing access to the server from the outside, however any security person worth his paycheck will NOT open any unnecessary ports to the server as that makes it easier to be compromised. (also required by certain compliance regulations)

I've said to keep it isolated so that there isn't a possibility of a hacker gaining access to the box and having access to the entire network (most home networks are completely open once you get INSIDE the network). Sure, you can setup personal firewall rules on each box to not allow connections from the web server, however that's quite a bit of extra work.... since it's all on the same VLAN, you can't use the router/firewall to make these changes... as you said.. it's highly unlikely that someone running a web/email server from home will even be compromised, however with identity theft at an all-time high... I wouldn't chance it, myself.

Forsaken_GA

dustinmurphy wrote: »

I will have to disagree with you on the above points. Most home network routers (the sub-$100 one's anyways) do not allow any "splitting" of the network. They use a single VLAN and are not capable of splitting off traffic. Sure, it's possible with the right amount of equipment, but MOST home networks do not have that capability.

I had a boss who was absolutely brilliant, and responsible for the servers on a high speed, high availability network.

When it came to patching for vulnerabilities, he was militant about getting the windows servers patched, but could care less if a linux server had been up for 5 years without being patched... he trusted the linux box a whole lot more.

Moral of the story - If the internal network is going to get hacked, it's more likely to be from the user getting their personal computer compromised and that being used as the entry point into the network (hello RSA hack!) than it is that the box running some flavor of linux or BSD is going to get compromised for opening up it's web port. However security folk just love to beat the 'DONT OPEN ANY PORTS WITHOUT REALLY REALLY GOOD JUSTIFICATION' drum. The cynic in me says it's because they have to do something to try and make themselves seem relevant. The optimist in me figures that maybe they really are that paranoid. I worry a crap load more about services being installed with default credentials than I ever do about services being open that maybe shouldn't be.

Let me ask you a question, are you one of those folk who think it's a good idea to filter all ICMP?

dustinmurphy

Forsaken_GA wrote: »

I had a boss who was absolutely brilliant, and responsible for the servers on a high speed, high availability network.

When it came to patching for vulnerabilities, he was militant about getting the windows servers patched, but could care less if a linux server had been up for 5 years without being patched... he trusted the linux box a whole lot more.

Moral of the story - If the internal network is going to get hacked, it's more likely to be from the user getting their personal computer compromised and that being used as the entry point into the network (hello RSA hack!) than it is that the box running some flavor of linux or BSD is going to get compromised for opening up it's web port. However security folk just love to beat the 'DONT OPEN ANY PORTS WITHOUT REALLY REALLY GOOD JUSTIFICATION' drum. The cynic in me says it's because they have to do something to try and make themselves seem relevant. The optimist in me figures that maybe they really are that paranoid. I worry a crap load more about services being installed with default credentials than I ever do about services being open that maybe shouldn't be.

Let me ask you a question, are you one of those folk who think it's a good idea to filter all ICMP?

Nah, I think ICMP can be important in most situations, and generally doesn't have many vulnerabilities as to compromising a box. I am of the opinion that a port that doesn't need to be opened... stays closed. Opening a port to a web/email/ftp server is a valid reason to open a port... (they won't work unless you do). Putting a Windows box with 3389 open (and RDP available) or a Linux box with 22 open (and SSH-server installed) to the world is generally a bad idea... I've seen it done, and I HAVE done it... but I don't think it's a great idea.... it's better to require a VPN connection for that, if available. I think putting a box in the DMZ on a home router that isn't VERY WELL hardened is a mistake, too. Of course, then again, I disable Windows Firewalls as well... leaving the hardware firewall in place to filter out incoming requests. With security, you have to make some concessions to enable things to work and to make the user experience better. You just have to weigh out the pros and cons. The only "secure" (from outside influences) computer is one not connected to a network... but then again.. what good is it?

Personally, my opinion is... if you feel comfortable leaving a server completely open to the outside, that's your choice.... I won't be doing that... but you can feel free.

BTW - Linux/Unix can still be hacked if you don't apply security updates (that's why they do it)... but it's less likely due to the fact that most exploits are done to Windows boxes. I would still apply security patches... whether Linux or Windows.

dustinmurphy

P.S. - my Office Linux FTP server's logs were riddled with failed login attempts... just about every day.... never had a break in security, but it's always possible. Thankfully I took precautions to not allow access to the important data on the box... so I wasn't too worried.

Edit: Oh, and my wife's old website was hosted on a Linux box... at GoDaddy... somehow it got compromised... and malware was injected into the site... I'm not sure what ports GoDaddy opens up, but I'm guessing FTP, HTTP and HTTPS.

DevilWAH

Forsaken_GA wrote: »

However security folk just love to beat the 'DONT OPEN ANY PORTS WITHOUT REALLY REALLY GOOD JUSTIFICATION' drum. The cynic in me says it's because they have to do something to try and make themselves seem relevant. The optimist in me figures that maybe they really are that paranoid. I worry a crap load more about services being installed with default credentials than I ever do about services being open that maybe shouldn't be.

I think a lot of new people coming in to security have that view, but as a very experienced Security engineer once said. "Opening a port dose not create a security risk, not understanding the potential impact is where the risk lies).

Opening a port just means you have to keep control of that traffic, and the point of security moved inside the network, and may poential require more configuration on multiply devices to mitigate. I am in complete agreement though, a windows box with the fire wall turned on left open to the internet is actualy very hard to attack, despite what people think, most attacks rely on malware or some input fro the user to allow a system to be compromised.

DevilWAH

dustinmurphy wrote: »

I will have to disagree with you on the above points. Most home network routers (the sub-$100 one's anyways) do not allow any "splitting" of the network. They use a single VLAN and are not capable of splitting off traffic. Sure, it's possible with the right amount of equipment, but MOST home networks do not have that capability.


I've said to keep it isolated so that there isn't a possibility of a hacker gaining access to the box and having access to the entire network (most home networks are completely open once you get INSIDE the network). Sure, you can setup personal firewall rules on each box to not allow connections from the web server, however that's quite a bit of extra work.... since it's all on the same VLAN, you can't use the router/firewall to make these changes... as you said.. it's highly unlikely that someone running a web/email server from home will even be compromised, however with identity theft at an all-time high... I wouldn't chance it, myself.

Splitting traffic across vlans is not a secure solution, even with any routing between the vlans it is still possible to hop vlans if other security has not been set up.

Also the default set up of a windows firewall is to not allow any incoming requests, so by default a PC would be set up as protected from the windows server. Windows vista and & by default will not even reply to pings. The statment "most home computers are completely open" is factually incorrect. The fact that most attacks happen via malware, means even if you have all the ports on your fire wall closed, as soon as one box is infected, if you don't have them set up to be closed to each other then you network is open. If is far easier to protect against uninvited incoming traffic than against malware. assuming a network is secure because there is a fire wall in between it and the internet is foolish. Indeed it is not unheard of for firewalls them selves to be hacked and disababled.

Every device on the network has to be protected in its own right, and from each other. As every one will hammer home, security is only as strong as its weakest link. There is no need for a open port to be weak link, even on a home network unless you let it be.

Forsaken_GA

dustinmurphy wrote: »

P.S. - my Office Linux FTP server's logs were riddled with failed login attempts... just about every day.... never had a break in security, but it's always possible. Thankfully I took precautions to not allow access to the important data on the box... so I wasn't too worried.

Try installing fail2ban, it'll make you alot more comfortable about opening up interactive services to the world That also goes for your assertion about leaving an open ssh port to the world, which is something I do indeed do. I personally require public key authentication over ssh, so my personal box really *would* have to be compromised to the point where my private key is obtainable, in order to actually get authenticated. fail2ban takes care of any idjut who decides they want to brute force the services on my box.

If I were *really* paranoid, I'd do all of that, and make it an openbsd box instead, using pf to mirror the behavior I get from fail2ban.

Edit: Oh, and my wife's old website was hosted on a Linux box... at GoDaddy... somehow it got compromised... and malware was injected into the site... I'm not sure what ports GoDaddy opens up, but I'm guessing FTP, HTTP and HTTPS.

[/quote]

That likely wasn't a linux problem, and probably had everything to do with the software itself, especially if it was a php based app. I've seen more than a few compromises that resulted in malware, links to malware, and phishing sites being sent into a website because of an application vulnerability than I can count. In 5 years of linux administration, I saw 2 linux boxes that were actually compromised at the server level (out of about 3000 servers). The number of windows boxen compromised was in the high double digits.

Now security folks like to use the argument 'it can happen to anyone, don't risk it!'. While I acknowledge the truth in that statement, my skepticism remains, as no security professional has been able to present me with any kind of significant statistical analysis.

Crap like weak passwords and credentials obtained by the compromise of other systems is not a security flaw in the operating system being compromised, it's security flaw at layer 0.

Forsaken_GA

DevilWAH wrote: »

Opening a port just means you have to keep control of that traffic, and the point of security moved inside the network, and may poential require more configuration on multiply devices to mitigate. I am in complete agreement though, a windows box with the fire wall turned on left open to the internet is actualy very hard to attack, despite what people think, most attacks rely on malware or some input fro the user to allow a system to be compromised.

Yeah. I still don't trust *any* XP box I see on the network, but I have a lot less bias against Windows7 and 2008 boxen, from the playing with them I've been doing recently. Microsoft's done a good job at putting up a better outward security profile (sometimes too much, that Enhanced IE Security crap annoys me to no end). Now it's not a matter of distrusting the OS from the word go, it's a question about how much I trust the person using it, which ultimately, is what it comes down to with any system.

dustinmurphy

All of the points mentioned are valid. As I said... I disable the Windows Firewall to aid in being able to use the network devices and admin properly (without having to change firewall rules on 10-20 different devices I have around my house or the 50-200 devices at the office). As security is concerned, we all have to make concessions... and have to balance between security and usability. The most secure computer is one that is not connected to the network, however that's just not usable. If you like to change firewall rules or make them on all of your devices, be my guest. I'd rather just use the hardware firewall, and smart internet browsing to keep my network secure.

As I said... many times we HAVE to open ports. If that's the case, then fine... make sure you take other security measures to "harden" your box. Good, strong passwords, not using the "root" or "Administrator" accounts (I'm guilty of this, sometimes), or other security measures should be put into place to guard against brute force or dictionary attacks...

As for my wife's website... yes, it was a PHP site... I set it up before I *REALLY* knew how to admin... and thinking back, I'm not sure how it happened, but I'm guessing it had to do with PHP.

Forsaken_GA

dustinmurphy wrote: »

As for my wife's website... yes, it was a PHP site... I set it up before I *REALLY* knew how to admin... and thinking back, I'm not sure how it happened, but I'm guessing it had to do with PHP.

Back when I was admining web servers, I used to religiously check milw0rm and pastebin to see what exploits had been posted for what software, it gave me a good idea of what I was going to be dealing with in the coming weeks. Wordpress, Drupal and Joomla were easily the most compromised pieces of software that I've ever seen, though they've gotten better over the last few years (the plugin authors.... well, that's a different story)

DevilWAH

dustinmurphy wrote: »

I'd rather just use the hardware firewall, and smart internet browsing to keep my network secure.

In my house there are three people using the internet including my self. as is the case in most houses. Would you suggest that you would rely only on your hardware firewall and disable fire walls on the computers.

So if any one PC gets compromised the whole network is at risk? That gives you one line of defence to your network. A complete no no on any security course. "strong as your weakest link". I have seen the effects on a large corporate network of doing exactly this, Spending tens of thousands on edge security, but forgetting about the internal security. Dispute warnings they needed to think about it and there statements of "we are careful so its very unlike we get infected". A single PC being infected by malware brought the entire network to a halt in minutes. And took about 2 weeks to finally clean up.

These days internally security is as important if not more inportant then your edge security. there are just to many methods to slip by firewalls these days.

Out of intrests if any one wants to create a true DMZ in the home network but does not want to spend $100's. then you can achieve it with two cheap/ish home routers daisy chained together. (second needs to be a cable router/firewall that accepts an Ethernet connection as its external interface.

you primary router connects to your server/DMZ devices, and also to your second routers, which your internal devices sit behind. which gives you a fully configible fire wall both between the internet and you DMZ zone, and between the DMZ zone and the internal devices.

Considering you can pick up a second router that will do the job for $30 or less, if you really want a simple but complete DMZ set up, its a way to consider rather than purchase a full fledged expensive router.

dustinmurphy

DevilWAH wrote: »

In my house there are three people using the internet including my self. as is the case in most houses. Would you suggest that you would rely only on your hardware firewall and disable fire walls on the computers.
So if any one PC gets compromised the whole network is at risk? That gives you one line of defence to your network. A complete no no on any security course. "strong as your weakest link". I have seen the effects on a large corporate network of doing exactly this, Spending tens of thousands on edge security, but forgetting about the internal security. Dispute warnings they needed to think about it and there statements of "we are careful so its very unlike we get infected". A single PC being infected by malware brought the entire network to a halt in minutes. And took about 2 weeks to finally clean up.

That's what I said, yes. Just like I don't shut and lock every door to every room in my house... only the ones leading to the outside. That's not to say that I don't install malware protection on my computers. (like I have locks on my important stuff in the house, i.e. guns, important documents, etc). For 8 years I've relied on this system, and have had -0- outbreaks or infections of malware. (and, I have 5 users in my house, including my 3 year old and my 6 year old)

I also used this "security" measure on my company networks. I find it somewhat difficult to manage 100+ PC's and 40+ servers individual firewall rules (other than through GP, but most of the ports you would open on the firewall are those that would be used to hack anyways). However, setting up a few hardware firewalls and a corporate malware protection (with central management) seemed to do pretty well. No wide-spread infections in AT LEAST 4 years. That's not to say that individual PC's never got infected, but that was due to the user allowing it through... which would not be stopped by a firewall, anyways.

Out of intrests if any one wants to create a true DMZ in the home network but does not want to spend $100's. then you can achieve it with two cheap/ish home routers daisy chained together. (second needs to be a cable router/firewall that accepts an Ethernet connection as its external interface.

you primary router connects to your server/DMZ devices, and also to your second routers, which your internal devices sit behind. which gives you a fully configible fire wall both between the internet and you DMZ zone, and between the DMZ zone and the internal devices.

Considering you can pick up a second router that will do the job for $30 or less, if you really want a simple but complete DMZ set up, its a way to consider rather than purchase a full fledged expensive router.

That's a great solution! It's simple, however for some reason I had not thought about it. Just put the secondary router in the DMZ... and forward the ports in the secondary to the server. That would isolate the web server. I guess it's because I'm cheap. I don't like buying new equipment unless I need it. (that's not saying I DON'T have like a ton of extra equipment. i.e. routers, switches, etc)

Only problem I may see is any NAT issues, but most home routers will work great in that configuration.

DevilWAH

dustinmurphy wrote: »

I find it somewhat difficult to manage 100+ PC's and 40+ servers individual firewall rules

15,000 servers and 48,000+ PC, all with central managed firewalls rules. Its general very simple to manage Indivualy PC as the default is to block all incoming connections, In this case the only thing not blocks is RDP and a few other management ports from specific IP's. Every thing has to go though specific Proxies (only about 6 devices) to keep rules simple. And to be honest I can't remember the last time a rule needed to be changed.

These days with Upnp for application to dynamicaly open return ports, a user PC should never need any ports manualy open on it for generaly usage.


I have been driving for 15+years and never had a crash. But that dosen't mean I no longer bother to wear my seatbelt.

dustinmurphy

DevilWAH wrote: »

I have been driving for 15+years and never had a crash. But that dosen't mean I no longer bother to wear my seatbelt.

I never said DON'T use ANY protection. I said... in my experience, a hardware firewall keeps out most intruders, and a good malware program will help filter out others. *I* don't feel the need to have my helmet on while driving my car, since I wear a seatbelt and have airbags, as it's very uncomfortable and difficult to manage. *I* also don't feel the need to have a personal firewall on the PC, since I have a hardware firewall (blocking out all the incoming ports) and malware protection (blocking applications.) It also doesn't mean that wearing a helmet and a seatbelt will keep me from getting hurt or killed in an accident, if it were to happen. Your internal firewalls don't guarantee you safety much more than *my* configuration. It just makes you sleep better at night... and that's fine for you. I find that when troubleshooting, a personal firewall is VERY detrimental to the process. Without being able to PING a host, it's difficult to tell whether it's even up...

BTW - this all stemmed from you claiming that you can put a box in the DMZ on a home router, and it will be safe. I disagree and say that you should only forward the ports necessary to that box.... so, essentially you're saying because you have your helmet on (and no seatbelt)... you can hit anything you want... (the seatbelt is built into the car, and can be considered a "hardware" firewall, in this case.. helmet is a personal firewall)...

dustinmurphy

I was also thinking today that different situations call for different securities. Perhaps in your situation (working with thousands of hosts in a financial industry) using higher security is necessary. In situations like I've been in... there have been some concessions made for usability and administration... going along with your analogy... it's like... a Top Fuel dragster driver wears a flame-resistant suit and many different PERSONAL protections to keep him safe from INTERNAL threats (such as fire, etc), but he also wears his harness to keep him safe in the event of a crash.... as a general driver on the street, we don't use personal protections to keep us safe from internal threats (i.e. fire suit and helmet), however we do use our seat belts and airbags to keep us safe from the outside threats.

Keep in mind, I'm not saying you're WRONG. Just saying that in my opinion, it's unnecessary to admin firewalls at the host side when you have a good hardware firewall in place. In my experience, using a single hardware firewall and disabling the Windows Firewalls has proven to be much easier to troubleshoot, administer, and use.

BTW - wearing a seatbelt has been STATISTICALLY proven to save lives. As far as I know, there have not been any good statistical reports that show that using personal firewalls on each device along with hardware firewalls and good malware protection vs. a hardware firewall and good malware protection has any effect on whether or not a machine / network will get infected. Most malware these days do not spread like a virus, and if they do.... they have ways to get around firewalls of any sort, (i.e. using email, web, etc).

Edit: Oh - and for "malware" protection on my house... in the event an intruder gets past my security doors, etc... I have a gun.

Forsaken_GA

DevilWAH wrote: »

In my house there are three people using the internet including my self. as is the case in most houses. Would you suggest that you would rely only on your hardware firewall and disable fire walls on the computers.

I actually do exactly this... for one vlan on my network. That's where the girlfriends and the childrens computers reside. That vlan is firewalled off to allow access to nothing but the default gateway, and the firewall imposes a captive portal, so to get out, you need a username and password. I surrendered on the idea of keeping those computers secure, given the nature of the people who use them, but I'll be damned if I was going to let them effect anything else on the network.

CodeBlox

Wow, nice to see the thread still active. I'm of the opinion that a personal firewall should be used on a home network. This may be because I've never had the need to use a network firewall other than whats provided by my access point. I've decided to take on this task of setting up my webserver during spring break which is a couple of weeks from now. It'll use some random port like say 8080 and I'll need to (re)familiarize myself with apache. I can't speak for corporate networks because I've never worked on one outside of this helpdesk. I would think it'd be tedious to configure a firewall for every single computer though. I know on our helpdesk, the individual firewalls aren't used and they rely on network firewalls. They have HIPS installed on all computers though. Sorry if I restated something someone else already stated in the thread.

Forsaken_GA

where to place the firewall is something of a religious issue. I've worked for companies that enforced firewall policy at the border, and didn't care what the end host was doing for firewall, and i've worked in a company where there was no network based firewalling, and everything was done on the host end. The latter case had good reasons - the firewalls of the time choked the bandwidth too much, 10 gig links had just come out, and the network based firewalls simply couldn't keep up with doing line rate inspection, and it effected *all* customers, so all servers were moved to provide their own firewall services, and pulled their firewall configurations from a centralized repository.

Which worked incredibly well... until someone screwed up and put a bad rule in the global list that all the hosts applied. This basically prevented them from doing *any* traffic whatsoever, and though we caught the error pretty quick, a sizable portion of the infrastructure had already pulled the bad rule and applied it. And since they couldn't pass any traffic with that rule in there, they couldn't refresh their firewall rules to pull it out. The end result was an all hands on deck call to get people into the data center to manually flush and reload all effected servers from their consoles. That led to an interesting post mortem.

networkjutsu

I hosted my blog from my home server for about three months until I decided to move it to a hosting company. Definitely cheaper for me to host it at home but the reliability of my site being up 24/7 is not that great. For whatever reason, my home server will just reboot by itself. Not really sure why since I've never really sit down and troubleshoot it. Maybe one of these days I'll sit down and troubleshoot it.