Why does a web host need a firewall?

The point of a firewall is to stop people accessing machines, right? But a web host runs servers that need to be accessed by all, and are most likely in public IP address ranges.

WHATS THE POINT OF A FIREWALL!!!!!

Well... multiple reasons....

you say people need access... yes... but you don't want to let them have any control over your server... (do u?!?!?!)

A firewall helps in the prevention of people trying to get acces to your server on certain ports...

However... remember a firewall cannot stop you being hacked... just adds another layer of protection to make it harder (in thory ;) )

You can keep people from portscanning your machines and only alow mail, ftp, ssh, and web. This keeps the machines from having to respond to portscans, and let's the firewall just drop them. Without a firewall, it is a lot easier to DoS a machine by filling up it's connection table.

Schumie: Surely you can just not leave the ports open? How does a firewall do this any better than the server itself?

bambenek: If that's the case, then why do hosts pay for firewalls such as PIXes, when a decently configured *nix box could do it?

Dannyboy,

Having a firewall separate from your servers prevents anyone from running their own server applications without authorization by the host. A common example is that anyone can start an IRC daemon, but if port 6667 is blocked then it will do them no good.

Most smaller hosts don't pay for expensive firewalls like PIX, Netscreen, or Checkpoint, and are perfectly content letting the servers do the work via ipfw or ipchains/tables.

So why don't big hosts just block the ports on their servers?

It's much easier to have it all blocked at one device, when you control hundreds of servers you don't want to mess with firewall configurations on each one, or the overhead involved.

Good firewall devices/servers offer a lot more than your generic ipfw and iptables stuff as well, like advanced logging, SPI, VPN access, etc.

Thanks for the replies so far. Still trying to work this out in my head though :-)

Fair enough, so it's a matter of convenience.

The only thing that a firewall would bring to a host, then, is being able to stop servers (IRC servers for example) being run on the servers?

As for VPNs, they don't seem important in a hosting environment, and what does SPI bring if you're quite deliberately wanting to allow connections in?

Originally posted by dannyboy

As for VPNs, they don't seem important in a hosting environment,

Not true, VPNS are very important in the enterprise hosting environment. Larger hosting companies often have clients run VPNs to their servers. The VPNs are used to update content, synchronize databases, and provide secure access to remotely hosted corporate intranets.

VPNS are also important if someone is using a hosting data center as a disaster recovery location.

As for VPNs, they don't seem important in a hosting environmentActually, we have several customers who we have set-up VPNs for so they can access/update their systems securely.

to me it all depends on who you are, and what you do with the server/machine :)