I have been assigned to setup some servers in the datacenter... we have two DBs (and may expand to 3) running behind a load balancer to get the best performance and avoid bottleneck when search queries are being done.
We have a DB of about 20 million records... so a lot of searches.
to all DC experts... do you recommend that i do without a firewall or with a firewall. i always thought that if we put in a firewall in front of the web server, the connection (and bottleneck) will slow down tremendously, is this true?
should i put in a Cisco/Netscreen firewall or i can do away with iptables (Linux firewall if you will)?
please advise. thank you! i need to know this asap.
I have not seen any deficiency in our own sites from setting up a firewall. I think all you can do to protect your network is better than having downtime due to attacks.
I have to agree that it would not hurt to put a fire wall on. I think that as Blast said you want to protect your server instead of taking the chance that it will be attacked ad downtime can really hurt most business.
I think you will have to go with firewall because it will protect your data.I am also using the firewall in our system and i dont think it is affecting speed.
I think you will have to go with firewall because it will protect your data.I am also using the firewall in our system and i dont think it is affecting speed.
B$ - a firewall won't protect your data, it will simply restrict access down to your systems.
Depending on your traffic load, you should appropriately size the firewall - for example, if your solution is doing 500,000pps/ A few Gig of traffic don't use a SonicWall TZ170 or Cisco ASA5505 as it will just die under the load
Ensure that you configure the firewall appropriately else it would just as well be used as a door stop to!
I think the same< it would be better to apply a hardware solution.
Oh, defiantly always recommend a hardware firewall - software firewalls always scare the pants out of me purely for the reason that the packets are still getting to the server, and if there is a flaw in the firewall code it could be exploited. While this can happen on a hardware firewall, at least it is physically separate to your servers
I would say to definitely use a firewall. The reasoning about dialup and different IP's has a flaw. The flaw is that if you have a trojan virus running, and no firewall or effective AV program, the trojan virus sits there and opens a port on your computer, and will either send out packets of data basically saying 'here is a wide open computer ripe for exploitation', or opens a port and waits for a incoming data stream. It doesn't matter that there is a different IP each time, this trojan would be broadcasting the current one. Some of these can identify themselves as coming from a specific computer.
The XP firewall does nothing to stop anything from connecting out, a third party firewall can monitor what is connecting out, and can allow or deny access to the internet.
It's not only OK to use both a hardware firewall and a software firewall, it's recommended. Your hardware firewall provides NAT which separates your network from the internet, and should be checking packets on their way in to make sure they're legitimate. Your software firewall should be checking not only inbound traffic, but also outbound traffic. This is important so that if a rogue application gets installed you should be notified of unusual behavior.
Firewall or No firewall? please help
