XG-7100 1U for the webserver gateway
-
Hello guys,
I want to configure a Netgate XG-7100 1U for the webserver/database gateway. Which packages are essential to secure for a webserver?
Thanks. -
Are you sure you want to put a server/database on your firewall? That's considered very bad practice.
-
@jknott said in XG-7100 1U for the webserver gateway:
That's considered very bad practice.
this has been a theme here many times
+++edit:
or does the OP want to set up an NGFW in front of the web/db server?
https://forum.netgate.com/topic/154479/diagnostic-cleaning-up-after-being-hacked?_=1614166619925 -
@jknott
I need to explain here, actually XG-7100 1U works as a firewall only with a global IP address on my network, and the webserver is with local IP, e.g., 192.168.1.10. on another machine. Pfsense forward all required ports to webserver 192.168.1.10.To secure XG-7100, I need to install some packages such as snort, squid proxy server, pfblockerNG, etc. Any recommendation for any extra package to secure the webserver?
-
@aie-sakaki said in XG-7100 1U for the webserver gateway:
Any recommendation for any extra package to secure the webserver?
I would put this directly on the web server, it was invented for this:
WAF
https://modsecurity.org/BTW:
Be careful, with a lot of filtering and restrictions on NGFW in front of WEB server, because in the end no one can see your page -
I agree that Pfsense can't do much for a real webserver, and a Web Application Firewall should install on webserver for protection, such as ModSecurity or Cloudflare.
Although I think Pfsense is the best open source firewall with well-explained documents and videos.
Which one do you recommend me, ModSecurity or Cloudflare? Thanks for the help. -
@aie-sakaki said in XG-7100 1U for the webserver gateway:
I agree that Pfsense can't do much for a real webserver,
You are on the right way now
Many people use pfSense in front of their web server, but I don't think that's the solution.
The web server needs to be fast and secure, not to mention the question of redundancy and operational safety.So an extra tool like NGFW brings more error options into the system.
Examination of all packages with NGFW (+IPS, +IDS, +DNSBL, etc.) slows down the whole process, on high-load web servers, this can cause a significant reduction in capacity.(not to mention that NGFW requires daily administration, in extreme cases hourly - which web server admin has time for this +plus)
To your question, I can tell you we use CF PRO plan (20USD only / mo) and Modsecurity WAF + OWASP rules in combination.
https://www.cloudflare.com/plans/Web server on:
-Debian 10.x (Buster) 64bit
-Apache Worker, factory packageNote:
-the monitoring for updates is essential! -
@daddygo
The picture is so clear for me now. I much appreciate your advice and time. CF PRO plan is right at a reasonable cost. I will prefer it. Thanks