What You Need To Know
In order to keep your data secure, your systems should be carrying at least the following three checks:
- Is the user’s system allowed to access this service?
- Is the user who they say they are?
- Is the user allowed to access this service?
The second of those, authentication, is typically verified by a username/password or, increasingly, by two factor authentication. The third, authorisation, is typically managed by the application. The first is a blunter instrument, and may implement controls such as “users may not access the development server from the Internet”. Mandating such rules is the role of a firewall.
Every server should be protected by a firewall. It doesn’t have to be a multi-thousand pound standalone device: it may be sufficient to simply use the firewall software that comes as part of Linux. The configuration of the firewall depends upon the role of the server, but the bottom line is that you should only allow the minimum access necessary for the server to perform its allocated tasks.
So, for a web server, you may well allow web access from anywhere, but you may allow updates to the website only from your offices.
What Does A Firewall Do?
A firewall permits or denies network access between two or more locations. Typically, a firewall is placed between the Internet and one or more servers, and controls access to and from those servers. Whether or not access is permitted is determined by three things:
- the source of the connection
- the destination of the connection
- the type of connection
For example, a firewall protecting a mail server may permit a connection from anywhere on the Internet to the mail server of type “SMTP”, which is the protocol used to pass email between systems. Most other types of connection would be denied.
A firewall protecting a web server may permit connections from anywhere to the web server that are of type HTTP or HTTPS, and it may also permit connections from the web developers to the web server of type SFTP, a secure protocol used to upload new files. Again, typically, most other types of connection would be denied.
“I’ve been faced with knowing more than the tech guys many times in the past, but never with Tiger Computing. Everything is always done, and done very well. They make stuff work without fuss, fanfare and hyperbole.”– Jonny Wray, Head of Discovery, e-Therapeutics plc