Andrew Lawrence wrote:
>
> We are currently investigating locating our web server with an ISP. The
> server is Windows NT 4.0 with Sql server and IIS 4.0. We have 2 options; one
> is to use a managed server provided by the ISP and the second is to buy some
> rack space to put whatever we like in. The difference in cost is
> considerable. As we are feeling our way in this arena the cheaper option
> looks favourable although it means we won't have a firewall protecting the
> web server. Has anyone any views on this scenario ?. One firewall vendor has
> already told me that having a firewall would not protect the web server as
> you want people to visit it !
Well, first off you can use a firewall to protect a web server. At
a minimum you need a packet filtering firewall. Adding in statefull
inspection would be better. The firewall makes it so the web server
dosen't need to be as agressive in it's protections of ports other
that the ones the web server SW is using.
> What we don't want to happen is hackers to compromise the data on the Sql
> server.
I don't know what data will be used for, but seriously consider
limiting the data on the server to only what is needed for the web
applications current state. An example of this is when an order is
finalized it is sent to a more secured server and after confirmation
of receipt it is removed from the web server's DB. User account
information doesn't contain CC# information, if it does need to then
only the last 4 digits. The full number would be on a more highly
secured server. I consider a web server to be a rather insecure
machine. Anything that needs to be kept private needs to have the
risks associated with it's release carefully analyzed.
> How secure will it be ?
> Does anyone have any information regarding
> setting up IIS and Sql server securely. Can you for instance tell SQL only
> to accept request from IIS and if you can do this how secure is the IIS side
> of things ?
--
| Bryan Andersen | [EMAIL PROTECTED] | http://softail.visi.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
