On Tue, 23 May 2000, Andrew Lawrence wrote:
> We are currently investigating locating our web server with an ISP. The
> server is Windows NT 4.0 with Sql server and IIS 4.0. We have 2 options; one
> is to use a managed server provided by the ISP and the second is to buy some
> rack space to put whatever we like in. The difference in cost is
> considerable. As we are feeling our way in this arena the cheaper option
> looks favourable although it means we won't have a firewall protecting the
> web server. Has anyone any views on this scenario ?. One firewall vendor has
> already told me that having a firewall would not protect the web server as
> you want people to visit it !
This is mostly true. The majority of Web server attacks come via HTTP,
not other protocols, and you need to allow HTTP for your server to
function as a Web server. I _believe_ the current "most popular attack"
is the RDS attack against IIS, which is fixable. I'd expect most service
providers to spend a good deal of time upgrading servers (and that's one
of the due dilligence questions you'll want to ask a potential hosting
provider.) Certainly following Attrition's defacement list recently, IIS
seems to be the current victim-of-choice.
> What we don't want to happen is hackers to compromise the data on the Sql
> server. How secure will it be ? Does anyone have any information regarding
"How secure will it be" is a specious question. It assumes a significant
number of variables are easily quantifyable. Once again, it really is a
bunch of due dilligence questions that need to be seriously examined.
Database servers are notorious for security flaws, holes,
misconfiguration, etc. providing administrative conduits without exposing
the server to significant risk is difficult. Managing upgrades, testing
problems and providing good audit points are all non-trivial exercises in
a typical colo facility. Last minute equipment changes can even be a
complete nightmare in some facilities. If you haven't colo'd before,
you're most probably better off going with a managed service offering.
Especially if you're only doing a small site and the facility is large.
> setting up IIS and Sql server securely. Can you for instance tell SQL only
> to accept request from IIS and if you can do this how secure is the IIS side
> of things ?
If the data is sensitive, and you're fielding something critical to the
business, you're probably best off finding some consulting help. You'll
want to look pretty hard at their past work and paranoia level though.
Trying to do remote access to colo'd Windows boxes well tends to be
something that makes most security people very squeemish and most NT
admins way too trusting.
> We don't have the option of using another operating system.
Companies that think like this scare me.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
