Firewalls are indeed a must-have feature in any server security protocol. The role is pretty simple:
- Prevent known malicious IPs from reaching your server.
- Stopping abusive IPs from making brute-force attacks.
- Locking IPs that try to exploit known vulnerabilities.
You can’t leave your website or server without a firewall.
Instead of inquiring about which firewall to use, you need to decide what kind of firewall you need. Then picking the right tool depending on your budget.
You can use an app-level server firewall, a DNS-level firewall, or a server-level firewall.
App-level firewalls are resource intensive
Any firewall-related request will need to run through a PHP process, leading to more CPU usage. You factor that by the number of visits you get on your website.
I will add substantial overhead to all your server’s requests.
One common mistake when depending on a free app-level firewall is that the threats/exploits database is not updated in real-time.
Let’s take Wordfence as an example.
The free version has a 30-day delay in getting the updated firewall rules.
You think it’s alright until a zero-day vulnerability starts kicking in.
You have no defense mechanism to immune you from that specific vulnerability for 30 days. If you are unlucky, you might even get hacked almost instantly.
You need a premium subscription to access an updated threats database.
Still taking Wordfence as an example, their Pro tier goes for Wordfence for $119 per year per website for their basic Wordfence Premium, with their more complete plans going for $490 per year for the Wordfence Care and $950 per year for Wordfence Response.
Known providers:
- Wordfence Premium ($119/y per website)
- Jetpack Scan (starts at $10/m per website)
- iThemes Security Basic ($99/y per website)
DNS level firewall makes you depend on the DNS provider’s performance
Most of the providers in the space have fast performance, though.
Expect a minimum of $20 per month per website. It usually includes different services, like a CDN, edge computing, and such.
Known providers:
- Sucuri Basic (starts at $199/y per website)
- Cloudflare ($25/m per website)
- StackPath ($60/m per website)
Server level firewall is the most affordable, but it’s not made for everyone
A server-level firewall will perform well with almost no performance impact. It requires that you have access to the hosting server (unmanaged VPS or Dedicated) and deploy something like ConfigServer Security & Firewall (CSF) and additional rules specific to what you are running.
CSF is a powerful firewall with GUI interfaces in all major server administration panels like cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, and Webmin.
The true power of CSF is in how it can be tailored to harden your firewall rules and make your specific web environment a stronghold from outside attacks.
Notes:
- This is a server-level tool meant for server administrators and not for the end user.
- Your web service might have it enabled in a more relaxed way to accommodate shared hosting environments.
Known providers:
- ConfigServer Security & Firewall (free)
Some additional advice
Usually, you will need to mix between at least the DNS-level and server-level just in case one of the other’s threats signatures is missing some newly added ones.
I usually leave the app-level firewall for cases where the DNS-level and server-level can’t be used for some reason.
You can’t possibly think its mission accomplished after you deploy or enable a firewall. It’s just a tool, and it’s worthless if it’s not configured well and constantly monitored.