Webhosting Server Connectivity - Firewall? Router + Unix FW? Direct IP + Unix FW?
Hello - I have a pretty basic question here. I'm using a broadband provider with static IP's. They drop off an optical network termination and from there I plug in my GiG-E switch and static IP the devices within my subnet. The primary purpose is for web & email hosting. (apache + dovecot/postfix + mysql) Basic LAMP type server installation.
Here's my questions:
I am running CFS firewall which is your basic SPI software-based firewall. Should I configure the ethernet interface of my server to be a public IP -- or should I configure it to be a private IP and front-end the connection with a router. In this particular case, since I'm setting up port forwarding on the router anyhow, is the router really doing anything since it's a single IP connection coming into it? I don't think the router is providing any value and may be both a bottleneck and a single point of failure. (have had to reboot the router a couple times in the past...)
Should I look at getting a software based firewall instead? If so, what should I look at getting and why? What is it going to buy me over what I have now? I have hardware servers that I could put into production for this..... or I guess I could look into a hardware appliance....
Since I run different servers, should I look at an F5 (or other) load balancer and put that as the frontend public IP connection and run the servers through it? Does any load balancers provide any form of firewalling or no?
So I guess my question is, should I public IP my unix servers and continue to run CSF (or other) software firewall on them, or should I put a router in front and private IP the server. Should I consider a firewall, if so - a software based one would be far preferred as I have hardware to run it on. (the less expensive, the better)
I would like to know answers to this as well. In terms of IP termination, it depends on your network architecture. If you have database and other IP dependent applications running I would have private IP for your servers and terminate the public IP on a router.
I do run mysql, apache, postfix, dovecot, bind/named, etc. standard ISP type stuff. I guess my question was - a router with a simple basic firewall feature set - if I lock out the ports in csf firewall on unix, am i doing the same thing? i'm adding a bottleneck (packet per second forwarding rate) and potential single point of failure (have to reboot the router...) -- but does it buy me anything? I only need one machine per IP so why wouldn't i just give the eth0 interface a public IP address and run a CSF firewall daemon on the unix box? I don't think putting anything short of an expensive firewall in front of it is going to do much for me.....
May I ask what kind of router do you have in place? Was there any specific reason you hosted the servers in-house? For physical security of data or cost?
You can do it either way, public or private IP with NAT, software or hardware firewall. It all comes down to your cost, maintenance and the level of security you want to have in place.
Having said that if you do use public IPs on each machine and csf (iptables on server), that is typically what web hosting companies do as well. There is no firewall in front of them. They are just hooked up to public switch/router.
We're using private IP's with our VPS, this allows us to offer our clients the ability to create an IPSec tunnel that we manage between their VPS and infrastructure back at the client location, though, since we are 100% virtualized, we can just as easily throw them directly on the internet if they wish to do so.
It's just a question of scale. If one IP / one server will suffice for the foreseeable future, then just do everything on one server. You don't have any redundancy in place any way, and another device will just be another point of failure.
If you find that you'll need additional servers sooner or later, then try to get more IP's from your ISP. NAT for servers is ugly, and best avoided when possible. You should use public IPs whether or not you have firewalls in place. See if you can get a block with at least 3 usable IP's, so that you can run VRRP with a pair of firewalls instead of just one. Then, get your ISP to route you another block to your VRRP IP, and use that for your servers.
Is there any reason you're running this on the premises instead of in a proper data centre? A broadband connection is generally not as reliable as what you'd find in a data centre, due to points of failure in the last mile.
ASTUTE HOSTING: Advanced, customized, and scalable solutions with AS54527 Premium Canadian Optimized Network (Level3, PEER1, Shaw, Tinet) MicroServers.io: Enterprise Dedicated Hardware with IPMI at VPS-like Prices using AS63213 Affordable Bandwidth (Cogent, HE, Tinet) Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami