If you've ever ran your own infrastructure, you know the pains of properly securing your servers. The first step is always putting up some sort of firewall, whether it be hardware or software based. Following my last post about installing pfSense on DigitalOcean, I got a few questions about why would I want to host a firewall on the cloud?

Here we'll dive in to why you may want to have one, and at the end of the day - what are you gaining from hosting it in the cloud?

Question:

Why would I want to have a firewall on the cloud?

Answer:

  1. You can easily manage your cloud firewall anywhere
  2. You can filter out malicious traffic at the edge
  3. You can deploy IDS/IPS systems at the edge
  4. You can setup a VPN server, so you can connect to your intranet anywhere you are
  5. The cloud firewall will hook up with your home firewall directly over site-to-site connection (eg ipsec, openvpn, and even wireguard)
  6. Static IPv4 addresses are cheap at DigitalOcean, one could grab a floating IP address and assign it to your droplet. In the event you ever need to rebuild or migrate the droplet, the floating IP address will remain the same
  7. Backups are very inexpensive at DigitalOcean, $5 droplet will cost $1 with backups
  8. Big internet pipe on the droplet (1Gbit), reasonable bandwidth limitations (1TB for $5 droplet). The internet pipe is more than the average households network, so it will more than handle the average traffic you put through it.
  9. Ability to filter traffic such as ssh only from <X> origins which you can easily update
  10. Lock down your home firewall so only traffic from the edge and internal on services like ssh, http, https can be routed to the appropriate machine
  11. Connect to the firewall from your laptop on the go (eg, coffee shops, on trips across countries, etc), and have the same firewall rules immediately that you know and trust, without a big hassle

Question:

Why can't I install something like Wireguard or OpenVPN server instead?

Answer:

You could, and you are more than welcome to. I personally prefer running a dedicated software firewall, seeing as it has all the features I'd want already in there, and it saves me having do it it all over ssh and updating forwarding rules. Personally, I enjoy the convenience of a web interface so if I'm on my iPad I could hop in, update a rule, and never have to touch the command line for my firewall.

At the end of the day, it's up to personal preference if you'd like to use a dedicated software firewall or a VPN server – they both have equal pros and cons, and would depend on your comfort level with managing them.

What do I gain?

At the end of the day, you gain learning experience setting this all up, a public IPv4 address for cheaper than the average ISP will charge you, a big network pipe on the droplet, and the ability to securely manage your edge firewall anywhere. If you don't like pfSense, try VyOS! If you don't like either, try setting up a WireGuard VPN server and port forwarding over it – even try an ipsec tunnel. At the end of the day, it's all for learning and having a secure network, anywhere you may be.

cloud opinion

Mike

Senior Software Engineer, Labber, Sysadmin. I make things scale rapidly. Optimize everything.

Read More