On Mon, 6 May 2002, Mike Le Master wrote: > The outside consultant recommends that the web server be placed inside the > firewall. Their logic is...
Don't rely on the consultant for security. *If* you have an additional interface on the firewall, put the Web server behind that interface. Otherwise, use filtering rules on your border router to block all but the necessary HTTP and/or HTTPS ports. Alternately, packet filter on the Web server itself to allow external access only to the necessary port(s.) > If the web server is outside the firewall, it is more vunerable to attack as > it can be flooded or otherwise brought down since it won't be protected by > the firewall. Behind the firewall, the firewall software would recognize and > stop that kind of activity. The firewall would also protect the rest of the Most attacks against Web servers are in-band- firewalls as a rule don't stop in-band attacks. Firewalls as a rule don't "recognize" malicious activity, they either allow or deny traffic based on pretty simplistic criteria. > network because all other IP addresses that are inside the firewall would be > made invisible by the firewall. But if you allow public traffic to the internal network, then compromise of the Web server (sometimes a very easy thing) means compromise of the internal network. I can't imagine a scenerio where I'd put a public machine inside the firewall without a great deal of additional protection and a trusted OS, and even then I'd be grumpy about doing it. > Outside the firewall, we could connect to the Oracle server but that would > require the oracle server be given a public IP address so the web server > could see it. > I think that it should be outside the firewall. > Where the database server goes depends on what needs to access it, what's on it and how well you can protect it. > I welcome any suggestions and the reasoning behind the suggestions as to > proper placement of the web server. Web server, definately outside the firewall, database server depends, since it should only accept connections from the Web server, not from all over the Internet. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
