> We have the option of placing a www app server outside our
> firewall, in the
> DMZ or behind the firewall in our LAN by opening port 80 to
> the www app
> server's IP address.
>
> What are the pros and cons of placing it in the DMZ vs in the LAN?
This is a complex issue, because it depends so much on what your Web server
contains, how sophisticated the webmasters are, what resources the Web
server needs to do its job, and to some extent, on what platform the web
server runs.
I believe that the conventional wisdom that web servers should be in the DMZ
is primarily based on the assumption that web servers, because they contain
only public information, have little value, therefore they can be exposed to
the Internet without risk. If they are hacked, you just reload the pages
from tapes, and nobody is hurt. All the valuable stuff is safe inside the
firewall.
That assumption no longer holds (if it ever did). Web servers are
critically important to many organizations. So, my position is that Web
servers should always be placed behind *some* firewall. The firewall allows
only port 80 requests, which makes the host about 1,000 times easier to
protect (maybe more with NT). Yes, there are exploits on port 80, but the
general ones are fairly well known, and those specific to your custom CGI
code you have to find before hackers do anyway.
That leaves the question of whether the web server is behind the same
firewall that your LAN is. Here you have to balance security with
convenience:
1. How difficult is it for the folks that maintain the web server to get
OUT the
firewall to maintain the machine? If they are very unsophisticated,
they may
not be able to handle anything more difficult than dragging and dropping
from
their desktop to the web server's file system, which means you might be
facing
a *lot* of work to put a firewall between them and the web server.
2. What inside-the LAN resources does the Web server need? If it needs
database
access, you need to create holes in the firewall for them, which entails
work
and security issues.
My feeling is that given the limited number of hacks on port 80, and the
limited additional security achieved by placing the web server behind a
different firewall than your LAN, you might be able to sleep OK with your
web server on your LAN.
--Mike
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
