Alternatively you could place the www servers outside the firewall with an
embedded firewall right on the www servers. Depending on the number of www
servers you may actually see improved preformance and lower latency for a
large number of web servers
Avi Fogel
Network-1 Security Solutions, Inc.
"Securing e-Business Networks"
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 02, 1999 8:29 AM
To: Roy
Cc: [EMAIL PROTECTED]
Subject: Re: Pros/Cons of WWW Server in LAN vs DMZ?
Hi Roy,
By opening your firewall to the web server located on your LAN you've
already
lost the battle. When your web server is compromised the attacker will
already
be inside your trusted network. By placing your web server in your DMZ your
able to reduce the risk of compromise to your trusted network. Of course
your
DMZ architecture is key, being able to deny all direct inbound traffic from
the
web server to the trsuted net will be necessary for the above statement to
be
true.
So in a nutshell you would be looking at something like this for it to be
effective:
<Screening router> ---------<WWW DMZ> -------- <FW Blocking all inbound
connectivity> ------- <Choke Router> ----------------- <Trusted Net>
(Not completely
necessary)
Hope this helps, (If FW is
application based)
--Neil
"Roy" <[EMAIL PROTECTED]> on 09/01/99 12:13:07 PM
Please respond to "Roy" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
cc: (bcc: Neil Buckley/Lycos)
Subject: Pros/Cons of WWW Server in LAN vs DMZ?
We have the option of placing a www app server outside our firewall, in the
DMZ or behind the firewall in our LAN by opening port 80 to the www app
server's IP address.
What are the pros and cons of placing it in the DMZ vs in the LAN?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
