Personally the arrangement I like best is to have the WWW servers on a third
leg of the firewall, what I call the service segment, and what I call the
DMZ (other people have different definitions of DMZ, so be careful). In
that way, even if an outside cracker blows away the WWW server, your
firewall will still have logs of where this guy came from and what protocol
he tried to use. The firewall would be configured to allow just http from
the internet to the WWW server, and would allow http and other services to
originate inside the company and go out to the WWW server. This also has
the advantage in that sometimes it is very difficult to totally secure all
the protocols on some machines running WWW servers. It doesn't matter as
much because the firewall would block packets going to those ports. Yes in
the best of all possible worlds you would have those services turned off as
well. But quite often in security you need to make compromises.
On Thursday, September 02, 1999 1:05 PM, Fogel, Avi
[SMTP:[EMAIL PROTECTED]] wrote:
> Alternatively you could place the www servers outside the firewall with an
> embedded firewall right on the www servers. Depending on the number of www
> servers you may actually see improved preformance and lower latency for a
> large number of web servers
>
> Avi Fogel
> Network-1 Security Solutions, Inc.
> "Securing e-Business Networks"
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 02, 1999 8:29 AM
> To: Roy
> Cc: [EMAIL PROTECTED]
> Subject: Re: Pros/Cons of WWW Server in LAN vs DMZ?
>
>
>
>
> Hi Roy,
>
> By opening your firewall to the web server located on your LAN you've
> already
> lost the battle. When your web server is compromised the attacker will
> already
> be inside your trusted network. By placing your web server in your DMZ
your
> able to reduce the risk of compromise to your trusted network. Of course
> your
> DMZ architecture is key, being able to deny all direct inbound traffic
from
> the
> web server to the trsuted net will be necessary for the above statement to
> be
> true.
>
> So in a nutshell you would be looking at something like this for it to be
> effective:
>
> <Screening router> ---------<WWW DMZ> -------- <FW Blocking all inbound
> connectivity> ------- <Choke Router> ----------------- <Trusted Net>
> (Not completely
> necessary)
> Hope this helps, (If FW is
> application based)
>
> --Neil
>
>
>
>
> "Roy" <[EMAIL PROTECTED]> on 09/01/99 12:13:07 PM
>
> Please respond to "Roy" <[EMAIL PROTECTED]>
>
>
>
> To: [EMAIL PROTECTED]
>
> cc: (bcc: Neil Buckley/Lycos)
>
>
>
> Subject: Pros/Cons of WWW Server in LAN vs DMZ?
>
>
>
>
>
>
>
> We have the option of placing a www app server outside our firewall, in
the
> DMZ or behind the firewall in our LAN by opening port 80 to the www app
> server's IP address.
>
> What are the pros and cons of placing it in the DMZ vs in the LAN?
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
