Re: Web server inside the firewall

[Bennett Todd <bet () mordor net>]

I agree with the comments I've seen others make on this thread (in short:
Don't Do It). Just wanted to add one little note:

1998-11-30-14:34:13 Kevin Tyrrell:
> I have been getting pressure lately to have a web server moved from the DMZ
> to behind the firewall. The reasoning is this will make it easier to access
> databases on our internal network.

Yup. The idea of the firewall is to prevent access to goo on your internal
network, from the outside; the people who are applying this pressure are
saying they want you to remove the firewall.

A web server is very, very hard to secure, since it offers in general the
richest and most flexible service offering of the standard types of servers.
There's a very good chance your server has lethal holes in it now, so that it
can be burgled from the outside. Move it inside the firewall leaving a hole
behind it, and burgling your web server will constitute violating your
security perimeter, cutting past the firewall.

If you can't block this, then I'd recommend finding a new job, and in your
exit interview encouraging whoever picks things up to just remove the
firewall, since it's not going to be protecting your internal network any
more.

Publicly-visible web servers belong out in the DMZ. Data they need to interact
with belongs out on the DMZ. Imports and exports need to go through
outbound-only encrypted tunnels (e.g. ssh) originated from the inside. If you
need to gather high-security data (e.g. CC #s on an e-commerce site) have the
web server immediately pass them on to a high-security drop box out in the
DMZ, then have a periodic polling process from the inside pick them up and do
your e-commerce things to them, and send order tracking status info back out
to the public server.

-Bennett