In the event that the embedded FW were able to filter MAC addresses, some layer
2 vulnerabilities could be eliminated
by denying all traffic not coming from or destined to the screeening router and
or firewall buying you another level of security
between your DMZ and your trusted net. In a single web server case I would
rather let the screening router handle the traffic
pattern and rely on a combination of system security and a host based IDS
capable of tracking activity on the server so that
a compromise could be identified, monitored, and logged. In a multiple web
server configuration I could see advantages in
the scalability and performance of an embedded solution.
--Neil
"Fogel, Avi" <[EMAIL PROTECTED]> on 09/02/99 01:05:07 PM
To: Roy <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED](bcc: Neil Buckley/Lycos)
Subject: RE: Pros/Cons of WWW Server in LAN vs DMZ?
Alternatively you could place the www servers outside the firewall with an
embedded firewall right on the www servers. Depending on the number of www
servers you may actually see improved preformance and lower latency for a
large number of web servers
Avi Fogel
Network-1 Security Solutions, Inc.
"Securing e-Business Networks"
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 02, 1999 8:29 AM
To: Roy
Cc: [EMAIL PROTECTED]
Subject: Re: Pros/Cons of WWW Server in LAN vs DMZ?
Hi Roy,
By opening your firewall to the web server located on your LAN you've
already
lost the battle. When your web server is compromised the attacker will
already
be inside your trusted network. By placing your web server in your DMZ your
able to reduce the risk of compromise to your trusted network. Of course
your
DMZ architecture is key, being able to deny all direct inbound traffic from
the
web server to the trsuted net will be necessary for the above statement to
be
true.
So in a nutshell you would be looking at something like this for it to be
effective:
<Screening router> ---------<WWW DMZ> -------- <FW Blocking all inbound
connectivity> ------- <Choke Router> ----------------- <Trusted Net>
(Not completely
necessary)
Hope this helps, (If FW is
application based)
--Neil
"Roy" <[EMAIL PROTECTED]> on 09/01/99 12:13:07 PM
Please respond to "Roy" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
cc: (bcc: Neil Buckley/Lycos)
Subject: Pros/Cons of WWW Server in LAN vs DMZ?
We have the option of placing a www app server outside our firewall, in the
DMZ or behind the firewall in our LAN by opening port 80 to the www app
server's IP address.
What are the pros and cons of placing it in the DMZ vs in the LAN?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
att1.eml
