Hacker News new | ask | show | jobs
Ask HN: Do I need a hardware firewall for my first dedicated server?
6 points by potatofish 5845 days ago
I'm getting ready to deploy the first phase of my app on a dedicated machine. Phase I is not public, meaning it has no web site, other than the one I use to administrate the app, and it takes no connections other than SSH. I will be running the latest Ubuntu Server, and using UFW for the firewall.

Question is, should I spend the $50 that Softlayer asks for a 10Mbps hardware firewall? Is Ubuntu's firewall enough?
6 comments
gojomo 5845 days ago
The software firewall is plenty. Make sure services on the ports that are open are as locked-down as possible: no brute-forceable passwords for SSH; conservative web server configuration and vigilant security updates of all software used.

Then spend the money saved on the hardware firewall on more frequent and offsite backups of crucial data.

link
yourabi 5845 days ago
A software firewall should be sufficient at first. It makes sense putting off any additional spending until the app is validated and you start to scale
link
potatofish 5845 days ago
So that means that the OS firewall is safe enough that I shouldn't worry about it being compromised? I suppose the HW firewall could also be compromised, but it does give a bit of extra piece of mind.
link
yourabi 5845 days ago
In isolation yes - it is unlikely the vector of attack would (ever) be the firewall itself. In fact I think system level attacks are less likely than application level attacks (SQL injection, XSS..etc)

I think you really get some performance features (like SSL offloading...etc)

link
bl4k 5845 days ago
Software firewall is fine for a single machine - plus the hardware firewall you were quoted would restrict your throughput to only 10Mbps - which is not a lot and would be maxed out with 4-5 concurrent users
link
staunch 5845 days ago
In a typical web app scenario 10 Mbit is far more than sufficient to handle hundreds or thousands of active users. Only if you're serving up large static files (or similar) would 10 Mbit become a bottleneck, and even in that case with throttling you could give ~25 concurrent users sufficient speed to stream a video, etc.
link
staunch 5845 days ago
No. You're infinitely more likely to get in trouble by running crappy or out of date software. Worry about that and little else.
link
famfam 5845 days ago
Enlighten me, what's all this talk of firewalls? Am I just a caveman for doing everything with iptables?
link
andrewtj 5845 days ago
The only practical thing I can see it doing for you is giving you extra administrative overhead.
link