Brian, that depends on how your firewall passes 'only http traffic'
for example Raptor checks the message from the client and makes sure it is
a valid get/post/etc message, then it checks the response from the server
and makes sure it's also valid. It does this for each request.
firewall-1 on the other hand may check the inital connection to the server
to see if it's a get/post/etc but after that allows that connection
without spending more time on it.
this means that if your inital connection triggers a bug on the server
(IIS but, buffer overflow, etc) that ends up giving you a comand/shell
prompt on the webserver if you have firewall-1 the attacker can then type
commands on your webserver to download additional tools and attack your
internal network from the webserver. Raptor watches the entire exchange
and would prevent this.
now no firewall can watch SSL connections so I'm not sure exactly what
happens there. I don't know how many (if any) of the exploits can be used
against SSL servers and continue to be exploited after the webserver is
compramised.
David Lang
On Fri, 2 Feb 2001, Brian Steele wrote:
> Date: Fri, 2 Feb 2001 12:20:10 -0400
> From: Brian Steele <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: Configuration Arguments... In House...
>
> Hmm.. Can someone give an example of how a "compromise" that opens the
> internal network to the attacker could work, if the proxy server is passing
> only HTTP traffic on port 80 between the internal server and the Internet
> client?
>
>
> Brian
>
>
> ----- Original Message -----
> From: "Paul Cardon" <[EMAIL PROTECTED]>
> To: "Kelly Slavens" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Friday, February 02, 2001 11:55 AM
> Subject: Re: Configuration Arguments... In House...
>
>
> > Kelly Slavens wrote:
> > >
> > > I have a situation where I have a Server, which will host web
> > > content from "Internal" Data to the external world. This Server Needs
> only
> > > have web services accessible to the outside world beyond our network.
> Our
> > > current configuration is a Cisco Hardware Nat/Router Packet filter
> directly
> > > connected to the Internet connection. Connected to that is our MSProx2.0
> > > (Being replaced with ISA Server soon)... One individual wishes to place
> this
> > > new web server directly behind the NAT alongside the Prox, With a so
> called
> > > "one way" push only network connection to the internal network. This
> seems
> > > like a bad idea to me. My suggestion was Place the Web server behind the
> > > prox and use Reverse prox to redirect all web traffic to only this
> single
> > > internal Web server. This to me seems to be more secure than a second
> > > machine sitting in the DMZ with a connection to the internal network.
> >
> > With the web server behind the Proxy, if the web server is compromised
> > (eg. IIS Unicode vulnerability) then the entire internal network is open
> > to the attacker. The other configuration is better but it isn't the
> > only solution.
> >
> > -paul
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
