If funds are not an issue I would build a DMZ and put it there. If fundage is a problem I would harden the web server as much as possible and put it outside. If you put it on the inside and someone uses a web server exploit that gives them root/admin rights, your internal network becomes someones new playground. If you put the web server on the outside and it gets exploited it's not near as much of a headache.
On Monday 06 May 2002 10:14 am, you wrote: > We are a small shop getting serious about installing our first web server. > The server would be used by six clients totaling about 20 users to access > an Oracle app on a server. We have a PIX 515 with all ports closed except > for the internet and Citrix. > The outside consultant recommends that the web server be placed inside the > firewall. Their logic is... I don't agree with their logic... > If the web server is outside the firewall, it is more vunerable to attack > as it can be flooded or otherwise brought down since it won't be protected > by the firewall. Behind the firewall, the firewall software would recognize uhh... It can be flooded regardless if it's inside or outside... > and stop that kind of activity. The firewall would also protect the rest of > the network because all other IP addresses that are inside the firewall > would be made invisible by the firewall. But if the webserver is on the inside and gets rooted, getting internal IP's is a trivial thing. > Outside the firewall, we could connect to the Oracle server but that would > require the oracle server be given a public IP address so the web server > could see it. With the number of Oracle exploits going around now I would be carefull here. > I think that it should be outside the firewall. > I think you're right. But a DMZ, if you can afford building one, would be a better choice. > I welcome any suggestions and the reasoning behind the suggestions as to > proper placement of the web server. > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > For Account Management (unsubscribe, get/change password, etc) Please go > to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
