I think some of your points are somewhat misguided.
> -----Original Message-----
> I believe that the conventional wisdom that web servers should be
> in the DMZ
> is primarily based on the assumption that web servers, because
> they contain
> only public information, have little value, therefore they can be
> exposed to
> the Internet without risk. If they are hacked, you just reload the pages
> from tapes, and nobody is hurt. All the valuable stuff is safe inside the
> firewall.
Conventional wisdom is that with the web server on the perimeter network, if
the machine does get compromised, your internal network has not. Say you
put the web server on your internal network, and it gets cracked, then you
have a cracker snooping your internal wire and gleaning passwords and god
knows what else, not to mention that host based security inside a firewall
is usually lacking. So more machines are sure to quickly follow the web
server into submission.
SNMP managed hardware being subverted, the list of problems go on and on.
> That assumption no longer holds (if it ever did). Web servers are
> critically important to many organizations. So, my position is that Web
> servers should always be placed behind *some* firewall. The
> firewall allows
> only port 80 requests, which makes the host about 1,000 times easier to
> protect (maybe more with NT). Yes, there are exploits on port 80, but the
> general ones are fairly well known, and those specific to your custom CGI
> code you have to find before hackers do anyway.
With a properly hardened bastion host and proper planning there is no reason
the webserver should respond to anything besides port 80 from the outside
world anyways. Remember there is a screening router between your perimeter
network and the internet. not to mention other tools like TCP wrappers that
can and should run on the host.
> That leaves the question of whether the web server is behind the same
> firewall that your LAN is. Here you have to balance security with
> convenience:
>
> 1. How difficult is it for the folks that maintain the web server to get
> OUT the
> firewall to maintain the machine? If they are very unsophisticated,
> they may
> not be able to handle anything more difficult than dragging
> and dropping
> from
> their desktop to the web server's file system, which means
> you might be
> facing
> a *lot* of work to put a firewall between them and the web server.
Do you really want an unsophisticated web master?
> 2. What inside-the LAN resources does the Web server need? If it needs
> database
> access, you need to create holes in the firewall for them,
> which entails
> work
> and security issues.
This is a valid point.
> My feeling is that given the limited number of hacks on port 80, and the
> limited additional security achieved by placing the web server behind a
> different firewall than your LAN, you might be able to sleep OK with your
> web server on your LAN.
> --Mike
New port 80 cracks are discovered all the time. And considering your
unsophisticated web masters, the cgi scripts on the web server are probably
an accident waiting to happen.
Sam James
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
