I'm setting up a bunch of Ubuntu servers in a colocation center. They offer a shared firewall service, but suggested I install a firewall on the servers myself, i.e. configure iptables on each machine (they suggested APF, but I'm leaning towards using UFW).
I'm pretty sure a dedicated firewall would be more secure, so I've asked them to use the shared firewall.
Am I right to assume that a dedicated firewall, managed by professionals, would be a better solution than whatever I can manage with software?
Should I set up a firewall on the servers in addition to the external one, or is that an overkill?
Does it matter if the shared firewall is a hardware device or just a linux box?
EDIT: Clarified. Sorry it took me so long.
I would recommend installing a software firewall like iptables on the servers whether or not you have a hardware firewall. The more layers of protection you have, whether to provide more walls for an attacker or to provide more places that someone would have to do something silly to allow an attacker in, the better.
That said, I would generally prefer to have both a software and a hardware firewall. There's a real issue though, if it's a managed firewall, of the skill and responsiveness of the firewall provider. If it takes them a week to open a port and you lose a customer because of it, was it worth it? The vendor you are evaluating may be awesome, this is just a consideration I would have.
So:
Is a dedicated firewall, managed by professionals, a better solution than whatever I can manage with software?
If it's a one-or-the-other choice, then generally yes. Let the professionals who focus on this work take care of this for you.
Should I set up a firewall on the servers in addition to the external one, or is that an overkill?
Yes. The ONLY downside is a little less performance on your machine. The upside is that if someone manages to break into ANOTHER machine on the inside of the hardware firewall, then you still have some amount of protection from bad traffic inside the data center.
Ideally the network is setup such that this cannot happen, but that's more expensive and difficult to maintain well, so you can't always depend on that.
Does it matter if the shared firewall is a hardware device or just a linux box?
Most hardware firewalls are linux boxes. It doesn't matter which is used - what matters is who implemented the linux build, and how good they are at it. A dedicated hardware box probably has more time and effort spent on making the build secure, and it's probably flashed into the device so it's a bit harder to hack and change remotely, but beyond that there's no practical difference.
-Adam
You should use both. It doesn't matter if the shared firewall is "a hardware device" or a generic OS with firewall software (most "hardware devices" is still just a generic OS with software on so there's not much difference).
The local firewall on the machine will do its best (depending on how you configure it) to protect from both local and outside traffic. The shared firewall will help in addition against outside traffic - both should be considered mandatory in any system today as their scope is different. The local helps a bit against the egg shell problem with only a shared firewall - ie lots of evil stuff can originate from the local network, by chance or not.
The shared firewall will most likely allow even less traffic - while the host local firewall will have to allow stuff like connections to database servers, cluster and load balancing - which shouldn't pass through the shared one.
Sadly, I still can't comment here so I have to post it as a separate answer.
I am going to side with Adam Davis here and say, that the best solution would be the mixture of both - you should set up a box serving as a dedicated firewall and screen the connections on the servers themselves, that is how we do it anyway. It takes next to none effort to restrict the exposure of the servers only to addresses, that you trust (takes a few entries in iptables).
As for the "dedicated firewall box" - for some reason people tend to think, that it should best be a "hardware firewall" (like the used-to-be-oh-so-popular PIX), which makes no sense to me, because it is not some "magic box", it is for all intents and purposes a PC, running some specialized software. If you get your hands on such a device (PIX, ASA or whatever equivalent of those), good for you, but you still need a professional to set it up, it doesn't "just work". Best thing to do will be to set up a dedicated linux (or bsd, its down to preference, really) box just for that. You will, of course, still need someone to help you with hardware and software - depending on the complexity of the firewall setup you are looking for.
I know, this is a bit off-topic, but I am going to tell you this: as for the security of your servers, do NOT be afraid of iptables. I don't know if ubuntu has some helper tool for dealing with iptables, but I would say, avoid it at all costs. Understanding how chain traversal works in iptables takes no time whatsoever, and closing down access to your server from certain addresses or setting up simple NAT takes as much as a few (extremely well defined) shell commands after that.
I commented asking for clarification of the question .. depending on any edit I may change this answer!
Am I right to assume that a dedicated firewall, managed by professionals, would be a better solution than whatever I can manage with software?
Yes. My take is that dedicated firewalls are better. Managed by professionals is generally much better, assuming that the professionals are competent and can be trusted.
Should I set up a firewall on the servers in addition to the external one, or is that an overkill?
I am ambivalent about local software firewalls, if there is a good (trusted) external firewall . Others disagree, and the trend in the industry is to have local firewalls as a layer of internal protection if the external firewall is breached. The question is whether the administrative effort and risk that the local firewall will cause trouble is worth the added protection or piece-of-mind. In an environment without clients (i.e a colo) I would not think so.
Does it matter if the shared firewall is a hardware device or just a linux box?
Not sure I get the question .. many (if not most) firewall devices are basically PC hardware running the Linux OS.
A firewall is software, whether implemented on top of Linux, embedded in some hardware, or built on an special purpose OS. Linux is a great solution for a firewall platform because it can be very finely tuned and otherwise secured.
My opinion on this depends on the situation.
In your case, I'd recommend using the colocation facility's firewall to protect you from the outside world, as it is presumably managed by professional networking people who know what they are doing. Also, you save your machines from dealing with DoS attacks, and other internet nuisances.
At the same time, I don't trust the colo's network either. Use the software firewall to control who can ssh in and expose a minimum profile to other hosts in the colo provider's network.
In an internal, "trusted" (your version of "trusted" may vary) network, I would avoid using software firewalls, and instead utilize your network infrastructure to implement communications controls.
If you have good experience with managing firewalls and network routing, then there's no reason to believe that a service would do better. If you don't want to hassle with it, then let them deal with it.
Personally....I like the idea that I can mangle my packets anytime I like. But that's just me...
Not only is it overkill, but under certain circumstances, it can lead to other issues (packet loss, unidirectional pack transmits, etc.)
If you are safeguarding a lot of money, or something of equal value, then yeah, I would have some layers of defense, and a 2nd firewall might provide at least a cod-piece token offering in this regard.
This is a function of the complexity of your firewall and routing. The linux box can pretty much function as a dedicated low-end router, allowing you do to address rewrites, class-based queues, port rewrites, etc.