In the DMZ - If someone breaks into a system located in the DMZ the most
they can do is exploit the backend database access process. If they break
into a system located on your LAN they can exploit all the systems located
on your LAN and since most firewalls are set up to allow unlimited outbound
connections (transparent) the attacker can set up outbound connections to
transfer information or further exploit resources even after you have
discovered and "fixed" the orginal security hole.
> -----Original Message-----
> From: Greg Bastian [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 13, 1999 3:39 AM
> To: [EMAIL PROTECTED]
> Subject: Web Server Access
>
> Hi,
>
> I have a general question about the accessing of a web server.
>
> Do I place the web server (NT IIS) on a DMZ, behind a packet filtering
> router, configured as a bastion host ?
> or do I place it behind the firewall (TIS FWTK) bastion host, and forward
> requests to the web server on my LAN ?
>
> I have a web server that accesses a database, however I would like to
> place
> this db on a machine on my internal LAN, and have the web server access
> it,
> however I don't know the best placement of the web server.
>
> I am a little confused about this issue, as I have read that the outside
> firewall interface should be the only thing visible on the internet.
>
> I have read the fw faq, and this did little to help me answer the
> question.
>
> If it makes any further difference, our internal lan is masqueraded behind
> a
> Linux router, so none of our LAN machines appear as more than the router.
>
> Help appreciated,
>
> Greg.
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
