The firewalls are the first line of defense of you IT infrastructure, they shouldn't be overlooked because they will help to prevent the attach on the infrastructure running openIMIS (application security discussed in another page )
There is two big family of firewall, the legacy one that allow traffic for a specific port and IP and the next generation/advanced firewall that look into the traffic to detect attack attempt (badly formed payload, updated blacklisted IP list...)
The traffic allowed by the firewall should always be the most restrictive as possible to reduce the hacking risk.
To increase the security, security appliance dedicated to one service could be deployed, this enable to be even more restrictive with regards to the allowed traffic, also such appliance can provide:
- Load balancing between several servers
- Encryption offloading to free some of the resource from the server proving the application
- Encryption certificate management
Which Security appliance to chose:
There is lots of brands that offers security appliance on the market Cisco, Fortigate, Dell , PaloAlto, F5, etc and there is an openSource solution Pfsense. some of them are specialized on firewalling or application security but other can do both based on their configuration.
The choice must come from the infrastructure team as they will need the knowledge to manage those equipment and they may already have some deployed for other services than openIMIS.
The Pfesense openSource solution is appealing because of the lack of license cost but a piece of hardware and skill is still required (via internal resource or support contract).