Replacing a Central Firewall

During one of my ExpertExpress engagements I got an interesting question: “could we replace a pair of central firewalls with iptables on the Linux server?

Short answer: Maybe (depending on your security policy), but I’d still love to see some baseline scrubbing before the traffic hits the server – after all, if someone pwns your server, he’ll quickly turn off iptables.

During the engagement we continued to discuss various tools we could use, from packet filters to reflexive access lists and full-blown stateful solutions, both in physical and virtual form, and ended up with a design that combined stateful filters on the servers with stateless packet filters in WAN edge devices and hypervisors.

A new ExpertExpress case study published on summarizes these options and describes several high-level designs you could use depending on how secure you want your infrastructure to be.


  1. I would think this would be a nightmare to scale. Scripting and automated auditing would be a must in most shops. Why not go with virtual firewalls and just move them closer to the server?

    I do agree though that iptables should be used to some extent.
Add comment