Will the plesk 7.5 firewall be sufficent?

[Jon-NC]

Hi,

We are in the process of planning a re-image of our server with the possibility of putting a hardware firewall on. However we would rather just use the software firewall included in plesk as this will reduce costs and if we have an external box it is another point of failure.

So will the plesk firewall be good enough to stop unwanted traffic? Or will I be better off investing in a hardware firewall.

Any opinions would be greatly appreciated.

Regards

Jon

[cah]

A software firewall will generally be more vulnerable than a hardware box - but if you set it up properly then i don't see why it should pose a problem. I doubt it takes its toll on performance either. I know I am happy enough to use my own firewall rules with iptables to keep me safe for a solitary server.

However, at least with a hardware box you can protect multiple servers, there is less on the hardware end to mess with and it is simpler to manage. As for performance I'm sure both solutions can handle whatever connection you throw at it for simple web traffic.

[Jon-NC]

Perhaps I can put a little spin on this. We will be using a windows 2003 box lol.

To get a hardware firewall setup and stuff isn't really a problem and would even come in handy as we would run some VPN's off it and things.

I'd feel alot better with a hardware firewall but if for whatever reason it decides to throw its toys out we will be in trouble.

Perhaps its best to be safe, or even stick an extra network card in that is connected right to the net for a secondary plan. :S.

[cah]

errrr. win what??? Lol.

In all my time using hardware firewalls i've only ever come across one problem - where due to slight (probably major) over-heating in the rack apparently the bridge between LAN and WAN failed/broke/?melted?.

TBH, they are more robust than your machine because you know that you can fubar the server and still you will be protected whatever state (firewall broken, bootup etc). Rule of thumb is that the less you rely on with one box the better. However, in all honesty i would use a hardware box to protect you from inbound attacks and the plesk on the desktop to control what comes out. Good for monitoring too. And i certainly would not rely on a windows application that might be rather vulnerable to do all the security.

You won't lose anything by having a failsafe connect straight to the net though and only turning it on when necessary.

So yeah - be paranoid - hardware firewall to server and then plesk.

[Jon-NC]

I think im going to go hardware firewall route. . Will have it on a rebootable apc unit anyway so im sure it will be safe.

[Cranky]

On Plesk for Linux (not sure about Windows), the firewall is just a basic set of accept/deny rules with no stateful rules at all. For an effective software firewall on linux I'd suggest looking to something like APF firewall which is a pretty neat set of rules and can be very effective. A hardware firewall is usually going to be better, but in many cases you'd be fine with APF or similar - cheaper, easier to customise.