RE: Web server inside the firewall

["Safier, Adam (GEIS)" <Adam.Safier () geis ge com>]

Have you noticed that in his note he said all the traffic to the web server
was from the INSIDE (http & ftp)?  i.e no EXTERNAL users.  My main question
is - Is the reason for protecting the web server from the internal users
still valid or is the DMZ an aborted plan for an extranet?

If the internal users are trusted then the only catch with moving it in is
that someday the original project that put it in the DMZ might come back to
life. Bad politically. If the internal users are not trusted then how is the
database server protected?   (Maybe the mountain should come to Mohamed -
move the DB server into the same, or a second, DMZ.  Personally, I like
multiport NICS and keepig the Web server isolated.)

Adam

> -----Original Message-----
> From: Bennett Todd [SMTP:bet () mordor net]
> Sent: Wednesday, December 02, 1998 5:07 PM
> To:   Kevin Tyrrell
> Cc:   Firewall Wizards
> Subject:      Re: Web server inside the firewall
>
> I agree with the comments I've seen others make on this thread (in short:
> Don't Do It). Just wanted to add one little note:
>
> 1998-11-30-14:34:13 Kevin Tyrrell:
> > I have been getting pressure lately to have a web server moved from the
> DMZ
> > to behind the firewall. The reasoning is this will make it easier to
> access
> > databases on our internal network.
>
> Yup. The idea of the firewall is to prevent access to goo on your internal
> network, from the outside; the people who are applying this pressure are
> saying they want you to remove the firewall.
>
> A web server is very, very hard to secure, since it offers in general the
> richest and most flexible service offering of the standard types of
> servers.
> There's a very good chance your server has lethal holes in it now, so that
> it
> can be burgled from the outside. Move it inside the firewall leaving a
> hole
> behind it, and burgling your web server will constitute violating your
> security perimeter, cutting past the firewall.
>
> If you can't block this, then I'd recommend finding a new job, and in your
> exit interview encouraging whoever picks things up to just remove the
> firewall, since it's not going to be protecting your internal network any
> more.
>
> Publicly-visible web servers belong out in the DMZ. Data they need to
> interact
> with belongs out on the DMZ. Imports and exports need to go through
> outbound-only encrypted tunnels (e.g. ssh) originated from the inside. If
> you
> need to gather high-security data (e.g. CC #s on an e-commerce site) have
> the
> web server immediately pass them on to a high-security drop box out in the
> DMZ, then have a periodic polling process from the inside pick them up and
> do
> your e-commerce things to them, and send order tracking status info back
> out
> to the public server.
>
> -Bennett