Firewall Wizards mailing list archives
Re: Web server inside the firewall
From: Bennett Todd <bet () mordor net>
Date: Wed, 2 Dec 1998 17:07:12 -0500
I agree with the comments I've seen others make on this thread (in short: Don't Do It). Just wanted to add one little note: 1998-11-30-14:34:13 Kevin Tyrrell:
I have been getting pressure lately to have a web server moved from the DMZ to behind the firewall. The reasoning is this will make it easier to access databases on our internal network.
Yup. The idea of the firewall is to prevent access to goo on your internal network, from the outside; the people who are applying this pressure are saying they want you to remove the firewall. A web server is very, very hard to secure, since it offers in general the richest and most flexible service offering of the standard types of servers. There's a very good chance your server has lethal holes in it now, so that it can be burgled from the outside. Move it inside the firewall leaving a hole behind it, and burgling your web server will constitute violating your security perimeter, cutting past the firewall. If you can't block this, then I'd recommend finding a new job, and in your exit interview encouraging whoever picks things up to just remove the firewall, since it's not going to be protecting your internal network any more. Publicly-visible web servers belong out in the DMZ. Data they need to interact with belongs out on the DMZ. Imports and exports need to go through outbound-only encrypted tunnels (e.g. ssh) originated from the inside. If you need to gather high-security data (e.g. CC #s on an e-commerce site) have the web server immediately pass them on to a high-security drop box out in the DMZ, then have a periodic polling process from the inside pick them up and do your e-commerce things to them, and send order tracking status info back out to the public server. -Bennett
Current thread:
- Web server inside the firewall Kevin Tyrrell (Dec 01)
- Re: Web server inside the firewall Perry E. Metzger (Dec 02)
- Re: Web server inside the firewall Arian Hormozi (Dec 03)
- Re: Web server inside the firewall Steve George (Dec 02)
- Re: Web server inside the firewall Bennett Todd (Dec 03)
- <Possible follow-ups>
- Re: Web server inside the firewall Bob Acosta (Dec 02)
- RE: Web server inside the firewall Shivdasani, Meenoo (Dec 03)
- Re: Web server inside the firewall James Conley (Dec 03)
- RE: Web server inside the firewall Readwin, Neil (Dec 04)
- RE: Web server inside the firewall Safier, Adam (GEIS) (Dec 04)
- RE: Web server inside the firewall tyrrell (Dec 07)
- Re: Web server inside the firewall Bennett Todd (Dec 08)
- RE: Web server inside the firewall tyrrell (Dec 07)
- Re: Web server inside the firewall Perry E. Metzger (Dec 02)