I have to agree.. If you can afford it, setup a secure DMZ area outside the firewall, only allowing needed ports and protocols through, then keep the database server inside the network, pass traffic from the web server to the database server through the firewall, use source IP restrictions wherever possible...
Same feeling on exploits.. I always want to keep any outside network traffic coming into my internal network to an absolute minimum.. If the web server is exploited on the secure DMZ, you stand much less chance of large scale damage.. Still a chance of course, but limit your exposure wherever possible... If budget is a concern, place the web server outside the firewall on the public net and harden it.. Either way, harden the server as much as possible and restrict any communication links.. If you don't need it, don't allow it through... -----Original Message----- From: James Hartman [mailto:[EMAIL PROTECTED]] Sent: Friday, May 10, 2002 4:02 PM To: Mike Le Master Cc: [EMAIL PROTECTED] Subject: Re: Web Server Placement If funds are not an issue I would build a DMZ and put it there. If fundage is a problem I would harden the web server as much as possible and put it outside. If you put it on the inside and someone uses a web server exploit that gives them root/admin rights, your internal network becomes someones new playground. If you put the web server on the outside and it gets exploited it's not near as much of a headache. On Monday 06 May 2002 10:14 am, you wrote: > We are a small shop getting serious about installing our first web > server. The server would be used by six clients totaling about 20 > users to access an Oracle app on a server. We have a PIX 515 with all > ports closed except for the internet and Citrix. The outside > consultant recommends that the web server be placed inside the > firewall. Their logic is... I don't agree with their logic... > If the web server is outside the firewall, it is more vunerable to > attack as it can be flooded or otherwise brought down since it won't > be protected by the firewall. Behind the firewall, the firewall > software would recognize uhh... It can be flooded regardless if it's inside or outside... > and stop that kind of activity. The firewall would also protect the > rest of the network because all other IP addresses that are inside the > firewall would be made invisible by the firewall. But if the webserver is on the inside and gets rooted, getting internal IP's is a trivial thing. > Outside the firewall, we could connect to the Oracle server but that > would require the oracle server be given a public IP address so the > web server could see it. With the number of Oracle exploits going around now I would be carefull here. > I think that it should be outside the firewall. > I think you're right. But a DMZ, if you can afford building one, would be a better choice. > I welcome any suggestions and the reasoning behind the suggestions as > to proper placement of the web server. > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > For Account Management (unsubscribe, get/change password, etc) Please > go > to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
