There are alot of reasons that you would want a host based firewall. Most of them help to mitigate the "hard shell, creamy center" weakness that networks only secured at the perimeter have. It isn't about being paranoid, it is about realizing that your internal, safe networks pose as big of a threat to the security of your servers as machines on the internet do.

Putting a host based firewall as well as a piece of software that can identify changes to file systems whenever it is feasible is never a bad idea.

Here's a couple of scenarios that illustrate why a host based firewall is a good idea.

1. You have a server that is colocated. You want a host based firewall because you don't control the firewall rules between your box and the internet and also becuase the other boxes behind whatever passes for a firewall ( which may very well be nothing ) at where ever you have your box hosted are admined by whoever decides to pay the monthly hosting fee. Alot of those boxes get put up and left alone until they break without ever having anyone harden them or patch them.

2. You have a server, like a Windows server that is a member of a domain, that is required to listen on a ton of ports for everything to work correctly. However it only needs to allow a few other machine talk to it on those ports. A host based firewall on every server gives you much more granular control over the traffic on your network.

3. Servers on a DMZ would benefit from a host based firewall. Very few machines on a DMZ need to speak with each other and when they do it is in very known and predictable circumstances. No server on a DMZ should ever be SSHing or Term Serving into any othe machine on your DMZ, however you do need to run those services on the server to be able to perform administrative functions.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/307/30963#30963