
Ask HN: Do I need a hardware firewall for my first dedicated server? - potatofish
I'm getting ready to deploy the first phase of my app on a dedicated machine. Phase I is not public, meaning it has no web site, other than the one I use to administrate the app, and it takes no connections other than SSH. I will be running the latest Ubuntu Server, and using UFW for the firewall.<p>Question is, should I spend the $50 that Softlayer asks for a 10Mbps hardware firewall? Is Ubuntu's firewall enough?
======
gojomo
The software firewall is plenty. Make sure services on the ports that are open
are as locked-down as possible: no brute-forceable passwords for SSH;
conservative web server configuration and vigilant security updates of all
software used.

Then spend the money saved on the hardware firewall on more frequent and
offsite backups of crucial data.

------
yourabi
A software firewall should be sufficient at first. It makes sense putting off
any additional spending until the app is validated and you start to scale

~~~
potatofish
So that means that the OS firewall is safe enough that I shouldn't worry about
it being compromised? I suppose the HW firewall could also be compromised, but
it does give a bit of extra piece of mind.

~~~
yourabi
In isolation yes - it is unlikely the vector of attack would (ever) be the
firewall itself. In fact I think system level attacks are less likely than
application level attacks (SQL injection, XSS..etc)

I think you really get some performance features (like SSL offloading...etc)

------
bl4k
Software firewall is fine for a single machine - plus the hardware firewall
you were quoted would restrict your throughput to only 10Mbps - which is not a
lot and would be maxed out with 4-5 concurrent users

~~~
staunch
In a typical web app scenario 10 Mbit is far more than sufficient to handle
hundreds or thousands of active users. Only if you're serving up large static
files (or similar) would 10 Mbit become a bottleneck, and even in that case
with throttling you could give ~25 concurrent users sufficient speed to stream
a video, etc.

------
staunch
No. You're infinitely more likely to get in trouble by running crappy or out
of date software. Worry about that and little else.

------
famfam
Enlighten me, what's all this talk of firewalls? Am I just a caveman for doing
everything with iptables?

------
andrewtj
The only practical thing I can see it doing for you is giving you extra
administrative overhead.

