although if your firwall is paranoid enough there can be a limit to what
can be done over this compramised connection.
for example if you have a raptor firewall the messages back and forth must
be valid http, it's extremely hard to type at a command prompt and have
valid http in both directions be the result.
David Lang
On Fri, 2 Feb 2001, Paul Cardon wrote:
> Date: Fri, 02 Feb 2001 10:55:03 -0500
> From: Paul Cardon <[EMAIL PROTECTED]>
> To: Kelly Slavens <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: Configuration Arguments... In House...
>
> Kelly Slavens wrote:
> >
> > I have a situation where I have a Server, which will host web
> > content from "Internal" Data to the external world. This Server Needs only
> > have web services accessible to the outside world beyond our network. Our
> > current configuration is a Cisco Hardware Nat/Router Packet filter directly
> > connected to the Internet connection. Connected to that is our MSProx2.0
> > (Being replaced with ISA Server soon)... One individual wishes to place this
> > new web server directly behind the NAT alongside the Prox, With a so called
> > "one way" push only network connection to the internal network. This seems
> > like a bad idea to me. My suggestion was Place the Web server behind the
> > prox and use Reverse prox to redirect all web traffic to only this single
> > internal Web server. This to me seems to be more secure than a second
> > machine sitting in the DMZ with a connection to the internal network.
>
> With the web server behind the Proxy, if the web server is compromised
> (eg. IIS Unicode vulnerability) then the entire internal network is open
> to the attacker. The other configuration is better but it isn't the
> only solution.
>
> -paul
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
