Thank you all for the comments, suggestions, and recommendations. We are seriously considering placing the web server inside in a separate subnet. PIX will route traffic between the two subnets, Subnet A containing the web server (ColdFusion, IIS) and the Exchange 5.0 server; Subnet B containing protected network (PDC, Oracle [both in the same box]), other file servers, SQL Server, and employee workstations. If we were to assume that this will be the final configuration what recommendations would you make in order to secure the Subnets A & B.
-----Original Message----- From: Brian Ford [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 12, 2002 9:23 PM To: Ben Nagy; 'Mike Le Master' Cc: [EMAIL PROTECTED] Subject: Re: Web Server Placement Ben, Mike; I think Ben hit all the right points. Your decision should be about how much risk you are willing to assume given the various configurations and their capabilities of protecting your assets. The big problem is that http can be used as an attack channel. There is no getting around that. You can tighten the screws on the web server, keep system and application software on the web server up to date, and watch it like a hawk. Say you put the web server inside the firewall. You can add additional rules to the PIX so as to block any non http traffic going out (from the web server). That limits an attackers control channel outbound to http. When you see sessions trying to get out originating from the web server in the PIX log you drill down and look for an intrusion. You can try and tighten the screws further and either alarm or block http sessions that initiate on the web server. It's not perfect because the attacker can still get through (and try and use the established http session as their control channel back out). If you put the web server on the outside of the firewall and it gets rooted, the attacker will have access to the Oracle connection. What happens on that connection is dependent on how your application works. You can take away the http control channel (blocking http inbound at the firewall) and replace it with what the attacker can do via whatever Oracle capability your application externalized. In this scenario you need to take a deeper look at how logging works in Oracle and specifically in your Oracle application. You also have to look at what is in the Oracle data. The attacker might be able to hurt you by just mining that Oracle data stream. The DMZ suggestion is good. Or you may want to consider a second firewall implementing a different, interior security policy. Liberty for All, Brian At 01:28 PM 5/12/2002 -0700, [EMAIL PROTECTED] wrote: >From: "Ben Nagy" <[EMAIL PROTECTED]> >To: "'Mike Le Master'" <[EMAIL PROTECTED]>, > <[EMAIL PROTECTED]> >Subject: RE: Web Server Placement >Date: Fri, 10 May 2002 20:20:22 +0200 > >Hi Mike, > >Having the HTTP server on the inside network is one of the things that >makes most firewall guys really edgy. It's risky. The main problem is >that if your WWW server gets r00ted, it can very easily be used as a >jumping off point to go on and attack the rest of the network. Given >that MS based web servers in particular are statistically the most >likely to suffer complete compromise, it's an accident waiting to >happen. > >Having the WWW server _outside_ the firewall, with a link to an Oracle >backend is almost as bad. All it would take is for an attacker to >control the webserver, then they could sit there watching (or maybe even >manipulating) all your Oracle traffic. That's bad. By the way, in that >scenario you don't need to give the oracle box a public IP, just >configure a static on the PIX and appropriate access lists. > >The argument that "the firewall can stop all that stuff" is almost >completely inaccurate. The _only_ attack on a WWW server that a PIX will >stop is a Denial of Service. That is also probably the attack that >you're least worried about. All the nasty stuff will come straight in on >the HTTP port and the PIX will be none the wiser. > >The Best Way To Do It would be to put the WWW server on a different >ethernet interface on the PIX (known as a DMZ...sort of). There are >still potential problems, and you should probably skim the archives, >because we talked about some of them (particularly germaine to the WWW / >Oracle stuff) very recently. > >If you only have a two interface PIX and can't / won't change that, then >I would put the WWW server _inside_, but configure the PIX to >authenticate incoming HTTP traffic. Check cisco's website for the >details [1]. It would be preferable to do that against a RADIUS server, >but even a password list in the PIX would be OK. That will mean that >attackers would need to guess your password before they could start >attacking your WWW server. Since you only need to make it available to a >limited number of people this should be OK. Choose strong passwords. > >HTH, HAND etc. > >Cheers, > >[1] >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/ >config.htm#xtocid66 >(link almost certainly wraps) >-- >Ben Nagy >Network Security Specialist >Mb: TBA PGP Key ID: 0x1A86E304 > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Le Master > > Sent: Monday, May 06, 2002 5:15 PM > > To: '[EMAIL PROTECTED]' > > Subject: Web Server Placement > > > > > > We are a small shop getting serious about installing our > > first web server. The server would be used by six clients > > totaling about 20 users to access an Oracle app on a server. > > We have a PIX 515 with all ports closed except for the > > internet and Citrix. The outside consultant recommends that > > the web server be placed inside the firewall. Their logic > > is... If the web server is outside the firewall, it is more > > vunerable to attack as it can be flooded or otherwise brought > > down since it won't be protected by the firewall. Behind the > > firewall, the firewall software would recognize and stop that > > kind of activity. The firewall would also protect the rest of > > the network because all other IP addresses that are inside > > the firewall would be made invisible by the firewall. > > Outside the firewall, we could connect to the Oracle server > > but that would require the oracle server be given a public IP > > address so the web server could see it. I think that it > > should be outside the firewall. > > > > I welcome any suggestions and the reasoning behind the > > suggestions as to proper placement of the web server. > > _______________________________________________ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
