What is the BEST (Strongest) Firewall?

[adamantasaurus]

Hello,

I am going to be using ubuntu server edition either 10.04 or 11.10 (not sure which one yet) and I was wondering if you guys could point me to the strongest firewall out there. I am going to be setting up an online business and the firewall is going to be one of the most important things to have. Any advice is welcome.

P.S. I am completely new at this so please when you respond please do so in La mans terms (or at least explain yourself).

Thanks Much Appreciated

Adamantasaurus

[sammiev]

They are all the same but what you do to it. I use Gufw which is already there but set the out bound to deny and add the rules yourself.

[sammiev]

Read this it will help you a lot.

[HermanAB]

Firewalls are mostly a Windows thing. It is needed when you don't have proper control over the server and cannot limit the stuff that is running on it.

On my Linux servers, I use only one IP tables rule, to limit DOS and brute force attacks.

[adamantasaurus]

What is the IP tables rule?

If I have an ecommerce site up and running with a ssl is it feasible for me to build a firewall myself to keep attackers out?

[Dangertux]

If you're talking about running an ecommerce site - I assume you're talking about accepting payment card information. That is going to put you into the realm of PCI compliance, which is a scary thing for someone new to server administration. You can't just accept credit card information.

So in terms of ecommerce a firewall is only one thing you need to think about. For PCI compliance guidelines you have to meet the following (and this is a simplified list) Here is the full list : http://www.bbb.org/data-security/bec...nt/checklists/

But basically in terms of what you're setting up on your system you're going to need the following.

- Firewall (optional but recommended)
- AV required (not really , but for compliance it needs to be there, this can be an external appliance)
- IPS /IDS (required for compliance, again can be an external appliance)
- Web Application Firewall (same applies, can be external appliance)
- Encryption (AES or stronger, can't store track 2 etc ... Read the standard for this)
- Transmittal of data MUST BE SSL
- Credentials (they need to be very strong consult the checklist)
- Patch levels, current, always, or you are out of compliance
- Stored data can not be on the same server (either physical or virtual separation is acceptable) as the web application accepting the PCI.

Also you're not hosting this from your home or small business are you? Because you won't meet the rigorous phsyical security standards.

Now that should keep you busy for awhile My advice accept paypal or use a hosting company.

To answer your question about Firewalls, they're not just a Windows thing that being said, most if not all SPI firewalls are going to be nothing but a front end for iptables/netfilter. Again for PCI compliance a DPI firewall OR IDS is required though it can be external. So really, unless you're talking about serious configuration of an IPS/DPI system you're best just using iptables.

Hope this helps.

[uRock]

Moved to Security Discussions.

I use GUFW, which can be found in the Ubuntu Software Center.

[dFlyer]

I use GUFW which is located in the archives and is as good as the rest.

[adamantasaurus]

If you're talking about running an ecommerce site - I assume you're talking about accepting payment card information. That is going to put you into the realm of PCI compliance, which is a scary thing for someone new to server administration. You can't just accept credit card information.

So in terms of ecommerce a firewall is only one thing you need to think about. For PCI compliance guidelines you have to meet the following (and this is a simplified list) Here is the full list : http://www.bbb.org/data-security/bec...nt/checklists/

But basically in terms of what you're setting up on your system you're going to need the following.

- Firewall (optional but recommended)
- AV required (not really , but for compliance it needs to be there, this can be an external appliance)
- IPS /IDS (required for compliance, again can be an external appliance)
- Web Application Firewall (same applies, can be external appliance)
- Encryption (AES or stronger, can't store track 2 etc ... Read the standard for this)
- Transmittal of data MUST BE SSL
- Credentials (they need to be very strong consult the checklist)
- Patch levels, current, always, or you are out of compliance
- Stored data can not be on the same server (either physical or virtual separation is acceptable) as the web application accepting the PCI.

Also you're not hosting this from your home or small business are you? Because you won't meet the rigorous phsyical security standards.

Now that should keep you busy for awhile My advice accept paypal or use a hosting company.

To answer your question about Firewalls, they're not just a Windows thing that being said, most if not all SPI firewalls are going to be nothing but a front end for iptables/netfilter. Again for PCI compliance a DPI firewall OR IDS is required though it can be external. So really, unless you're talking about serious configuration of an IPS/DPI system you're best just using iptables.

Hope this helps.

Wow That's a lot of work, this will probably take me a couple of years. But I do have that time to learn it so I think maybe I will just host my site during those couple of years. This is a startup business with almost no disposable cash (I can't pay someone to do it for me). Is it reasonable for me to learn how to do all of this and get it up and running in a few years?

And I'm thinking of eventually (like 5 years from now) setting up a server for other people to host their websites on and pay me money!!! is that reasonable to do and are there other guidelines for that?

[Thewhistlingwind]

Wow That's a lot of work, this will probably take me a couple of years. But I do have that time to learn it so I think maybe I will just host my site during those couple of years. This is a startup business with almost no disposable cash (I can't pay someone to do it for me). Is it reasonable for me to learn how to do all of this and get it up and running in a few years?

Considering that if you mess this up, the lawsuits can and will follow. (And make no mistake, it is easy to mess any one of these things up.) I would personally echo the recommendation of paypal or paypal-like services.

Also for web hosting, you'd better have some crazy bandwidth to do something like that. (And for that matter make sure your contract with your ISP allows web hosting.)