You lose. IIS doesn't have a good rep as a webserver that is easy to make
stable or secure. I'm all against MS bashing for no reason, but there is
plenty of writing on the wall already.
Assume that the machine will be trashed regularly, put it on a LAN that
isn't connected to anything else and have good backup and restore software.
Set up some scripty thing that checks the pages to see if they've changed
and will preferably notify you when it gets hacked. You can go and get one
of the "securing NT" guides (the US Navy one is supposed to be okay *grin*)
to try and shore it up as a bastion host if you like, but AFAIK it's the IIS
service itself that's most vulnerable.
>From the firewall end, it should just be pretty normal HTTP / HTTPS unless
you're doing spooky things. You could try and get a HTTP proxy that is
supposed to monitor the HTTP data flow for evilness, like Gauntlet / TIS
FWTK, but I'm not sure how much it will help you, especially if you're
running CGI. Unless there's something you're not telling us, you can block
every single other port to this machine.
Summary: It doesn't matter how much stuff you block, the minimum service you
MUST let through to the machine to fulfill your stated aim is enough to make
this solution fundamentally insecure. Now I'm sure you can secure IIS
somehow, but the default setups suck very badly so you probably REALLY need
to know what you're doing.
G'luck!
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct: +61 8 8422 8319 Mobile: +61 8 414 411 520
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 02, 1999 6:21 AM
To: [EMAIL PROTECTED]
Subject: MS Proxy Server
I have been asked to set up a "firewall" to protect an IIS Server that will
publish a Web page to the Internet. If anyone knows of resources, white
papers, how-to books, or seminars that would address this project please
tell me.
I suspect there are specialized software out there that will do this much
better but these are the tools I have to work with. Any help would be most
appreciated.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
