Forum Moderators: open
Having looked into this, Barracuda Website Firewall Model 360 seems about right for our needs. However it's pretty expensive. It's not just the cost of the hardware (which is plenty in itself) but also the ongoing software updates, which are obviously necessary, and the cost of initial setup and commissioning - also pretty well mandatory, as no-one here has a clue how to set up one of these things, and a configuration error, such as for example blocking all spiders for example, would be somewhat disastrous.
Although I'd hate to share our SQL data with someone I don't know, and who quite possibly does not have good intent, there's nothing on the servers which could be used for immediate gain, such as card numbers or bank details. However, the servers being 'up' is vital to the business as revenue would dry up if they weren't.
I'd be grateful if anyone with insight on this subject could give me a few clues to help me decide whether to write the big cheque, or go with shorewall (or something similar) instead.
In fact - don't do this at home - you can create a firewall by installing linux on a spare computer and setting it up to moniter and guard the traffic.
So if you're running linux, go find yourself a linux consultant to lock down your box. A couple three hours and you should be fine - if not better than most hardware firewalls.
Also, if you are moving to a dedicated server provider, check around. I work with dozens of them and some do provide robust firewall solutions on a turn key basis.
Another consideration between the hardware/software question is that with vendors like cisco/watchguard/sonicwall you get support. This could be critical if that firewall goes on the fritz and you have to send someone to the data center to fix it.
There are many iptables based firewalls out there that run on Linux. Finding the one that best meets your needs will require some research.
IPFW is your initial best friend... you can block whole areas (China, Russia) that can cause problems. If you don't need it... or don't want it public, shut it down. Don't EVER run Telnet, and you can move SSH and FTP (if needed, otherwise close it down!) to non-standard ports. Then you can use something like port sentry to close down anyone sniffing at what they think is your telnet port.
My box ONLY has 80 showing to the web, and that is firewalled by IPFW. I would not say I am totally impervious- you still have to keep up on vulnerabilities (like SQL baiting), but I sleep well at night!
Oh, and ALL this is Free on FreeBSD. I would think similar things are avail on other flavors of LINUX.
