David,
I would strongly agree with this person's philosophy to "take matters into
their own hands". If your at all concerned about security, IMHO you
shouldn't leave it up to an ISP. No ISP is ever going to be as concerned
about protecting your resources as you are.
To answer your query about placement of web servers, the answer is yes, any
servers that are intended to be world accessible such as FTP, Web, etc. are
normally placed on a physically separate segment from your internal hosts
so that if those servers happen to become compromised, they scope of attack
is limited. If someone were able to compromise a host on the inside of
your firewall, your essentially at the mercy of whatever security has been
implemented on your individual hosts. (i.e. your probably toast)
In this person's case, installing a full-fledged firewall or proxy server
to protect a single web server sounds like overkill. They may want to
consider just using security features built into their router and hardening
the OS of their web server. Cisco routers have a lot of security features
that would probably meet their needs sufficiently in this case. For
example, it would be fairly simple to allow only inbound HTTP to the web
server and nothing else.
-Kent
Kent Hundley
[EMAIL PROTECTED]
-------------------------------------------------------------------
I got chatting at a Christmas party with the owner of a web site
who has twice changed ISPs because his site got hacked. He's about
given up on ISPs to provide protection, and is looking to set up his
own server and protect it.
I keep seeing recommendations that HTTP servers should be in the
DMZ, but I'm not clear on WHY. Is this, perhaps, to protect the
machines on the internal net from a compromised HTTP server? In this
case, there wouldn't *be* any "rest" to protect.
My inclination is to suggest a proxy machine as firewall, supplied
with content from the "real" server behind it. But maybe there's a
flaw to this that I haven't quite grasped?
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
