Server behind a firewall

We all know that that to keep a server secure, we need to patch it at all times.

But if the server is behind a firewall, do we still need to patch the server? Also if few ports are open for inbound traffic to the server?

Thanks.

Yes.

A firewall is only a small part of the security you need to protect your server. Patching is another unrelated part of security.

If we image that the firewall has only one port open to the server, but there runs no service on this port. Does it then make sense to patch the server?

Yes, you still need to patch it. First, the patch might well include something remotely exploitable over a service which should be punched through the firewall – like some of those IIS/ASP.NET vulnerabilities we had recently where the vector was port 80. Or many of the Apache CERT advisories. The other issues is what happens when someone compromises something inside the firewall? Most real-world attacks aren’t a single exploit – they tend to be a series of tricks to get inside the firewall and gain root access.

Or, no responsible administrator would skip patches wholeheartedly. Quit being a lazy BOFH.

I am not a server operator my self. But I am asking this, because I had a discussion about this, with our server operator. Apparently most people patch servers, without knowing the reason for doing this (which is fine).

Back to the question: Is is possible for a hacker to exploit a server through a port, where no service is running?

Thanks.

The only truly secure way to run a server is to disconnect it from the network. Which is kind of counterproductive if you actually want it to serve stuff.

Your answers are funny, but not very helpful.

Security is all about layers, there’s no single magic bullet product out there. As a minimum you need to be looking at:

  • General software patching
  • Kernel patching/updates
  • Firewall
  • Log monitoring
  • Intrusion detection/prevention

As for exploits through a port with no software running - if there’s no software running on the port then technically the port doesn’t “exist” on the system.

Thanks,

Funny? No, it is absolutely true. Security is not a game.

Thanks for the fine reply, which I think is spot-on.

Short Answer: Yes, Always!

Long Answer: Yes, you should always patch your server, even if it is behind a firewall, even a decent intrusion detection / prevention one. If something is exposed to teh outside world, it IS vulnerable, not matter how much you do to try and stop it, keeping software up to date is one of the key things to prevent possible threats and exploits being abused.