Is there and article on configuring a third network interface on window NT for Gauntlet Firewall Version 5.0 Ken -----Original Message----- From: Bryan Andersen [mailto:[EMAIL PROTECTED]] Sent: 23 May 2000 14:39 To: [EMAIL PROTECTED] Cc: Andrew Lawrence Subject: Re: Webserver & Firewalls Andrew Lawrence wrote: > > We are currently investigating locating our web server with an ISP. The > server is Windows NT 4.0 with Sql server and IIS 4.0. We have 2 options; one > is to use a managed server provided by the ISP and the second is to buy some > rack space to put whatever we like in. The difference in cost is > considerable. As we are feeling our way in this arena the cheaper option > looks favourable although it means we won't have a firewall protecting the > web server. Has anyone any views on this scenario ?. One firewall vendor has > already told me that having a firewall would not protect the web server as > you want people to visit it ! Well, first off you can use a firewall to protect a web server. At a minimum you need a packet filtering firewall. Adding in statefull inspection would be better. The firewall makes it so the web server dosen't need to be as agressive in it's protections of ports other that the ones the web server SW is using. > What we don't want to happen is hackers to compromise the data on the Sql > server. I don't know what data will be used for, but seriously consider limiting the data on the server to only what is needed for the web applications current state. An example of this is when an order is finalized it is sent to a more secured server and after confirmation of receipt it is removed from the web server's DB. User account information doesn't contain CC# information, if it does need to then only the last 4 digits. The full number would be on a more highly secured server. I consider a web server to be a rather insecure machine. Anything that needs to be kept private needs to have the risks associated with it's release carefully analyzed. > How secure will it be ? > Does anyone have any information regarding > setting up IIS and Sql server securely. Can you for instance tell SQL only > to accept request from IIS and if you can do this how secure is the IIS side > of things ? -- | Bryan Andersen | [EMAIL PROTECTED] | http://softail.visi.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen | - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
