During one of my ExpertExpress engagements I got an interesting question: “could we replace a pair of central firewalls with iptables on the Linux server?”

Short answer: Maybe (depending on your security policy), but I’d still love to see some baseline scrubbing before the traffic hits the server – after all, if someone pwns your server, he’ll quickly turn off iptables.

During the engagement we continued to discuss various tools we could use, from packet filters to reflexive access lists and full-blown stateful solutions, both in physical and virtual form, and ended up with a design that combined stateful filters on the servers with stateless packet filters in WAN edge devices and hypervisors.

A new ExpertExpress case study published on ipSpace.net summarizes these options and describes several high-level designs you could use depending on how secure you want your infrastructure to be.