I expect most people out there running just 1 or 2 servers co-located do NOT have a firewall and just do their best to "harden" the system.

Do most ISP's offer you router filtering services upon request?

I never see firewall or router filtering mentioned on any of the co-location offerings from ISP's...

Differing opinions?

Originally posted by StephenRS
I never see firewall or router filtering mentioned on any of the co-location offerings from ISP's...


I know that Tera-Byte / 4webSpace has a firewall in place. You can see it in a traceroute to www.4webspace.com. It is mentioned here http://www.tera-byte.com/software.html

Don't know about others.

Mike,

Having a firewall at an ISP is one thing... "shielding your customers" as part of co-location is another.

Are you sure you are following my line of question -- specific to customer co-located systems?

I believe tera-byte does firewall colo boxes, but I'm not sure. Many of the larger colo firms, like Above and Exodus offer it. I don't think many of the smaller firms do, but I don't understand why they don't. I would imagine any of them could if paid enough.

I can understand why smaller ISP's don't... every time some co-location box owner adds a new service to thier system, firewall rules have to be changed... it is a lot of labor to maintain a set of firewall rules for 20+ servers.

ALmost every colo facility or MSP will offer the service for your particular box, but almost none do it network wide, the reason why is because every customer may have a specific app that requires certain resources and ports to be available, a firewall can cause all type of havoc and triple your supports time if youhave to hunt down whether its a firewall issue, server issue, service issue, etc... and besides to make a network wide firewall work well network wide, youd have to leave so much of it open anyways it really wouldnt be much of a firewall.

Firewalls are best tailored to a companys individual needs.

Another one of those areas where I dislike that ISP's don't openly publish their rates.

To me, this should be just like tape backup service. $50/month we will provide firewall services for your system (10 rule changes maximum per month, $10 for each additional rule change, up to 24 hours to implement requested rule changes). Some basic service, not too expensive, not too unreasonable.

What is the going rate most ISP's charge for firewall of your IP's?

Well this really depends. I don't know any "good" providers that do not firewall their network. However, if you have a colo or even a dedicated box, security and monitoring is usually up the the sysadmin of the box.

Please remember that firewalls are not meant for stopping hackers, but mean to monitor and limit access to a network or server.

Couldn't you make your own firewall inside your colocated box? I mean isn't there of those 1U boxes with actually 2 computers inside, maybe one small and one biger, so you could use the small for the firewall and the biger for the server?
:idea:
Ok, maybe this is all wrong, I don't know anything about networking....

astra4, as long as you're using a decent operating system (which in this context means more or less anything beyond windows 95) you should be able to enable a packet filtering firewall on the server itself. This is necessary from a security standpoint regardless of network firewalls, in order to protect your server from being attacked by other servers on the same network.

Generally, however, the firewall will only do simple things like dropping all broadcast packets, allowing 22,23,25,80,110/TCP and 53/UDP, and dropping everything else -- although there is of course much more which can be done (logging suspicious packets, blocking outgoing SMTP to all non-root users, counting packets for accounting purposes...)

Originally posted by StephenRS
Mike,

Having a firewall at an ISP is one thing... "shielding your customers" as part of co-location is another.

Are you sure you are following my line of question -- specific to customer co-located systems?
I thought I did. :)


Everything I traceroute at Tera-byte/4WebSpace seems to go through their firewall. This includes the RaQ server I have there.


I understood your question to be along the lines of:

Do co-location vendors have a firewall between my server and the big, bad internet?


Am I off base?

Even if you are being firewalled at your colo you can (and maybe should) be firewalling on your individual servers.

linux servers have ipchains or iptables and can do high level firewalling. Not as fast as a dedicated router but until you have a machine doing about 3-5mbps SUSTAINED you won't notice it.

ipchains is for the 2.2 series kernels and iptables if for 2.4.

BSD has ipf which is also very powerful.

-davidu

Hi,

I thought that firewalling individual server was not very useful, as in the event of a "syn flood", or whatever you call it, the system would get as fed up by rejecting connections as it would by accepting them.

Am I wrong here? (Very possible as I know next to nothing about this, only reporting what I've been told).


Thank you,

Cedric

Originally posted by smash
Hi,

I thought that firewalling individual server was not very useful, as in the event of a "syn flood", or whatever you call it, the system would get as fed up by rejecting connections as it would by accepting them.

Am I wrong here? (Very possible as I know next to nothing about this, only reporting what I've been told).


Thank you,

Cedric

A firewall won't always help you with SYN floods and in fact rarely will.

Also, you can slow SYN floods by using local firewalling...

I was saying though, the best firewall is an exterrior one AND one on your box. (for like tcp_syncookies)

-davidu