Firewall Wizards mailing list archives
RE: Web server inside the firewall
From: "Safier, Adam (GEIS)" <Adam.Safier () geis ge com>
Date: Fri, 4 Dec 1998 00:13:39 -0500
Have you noticed that in his note he said all the traffic to the web server was from the INSIDE (http & ftp)? i.e no EXTERNAL users. My main question is - Is the reason for protecting the web server from the internal users still valid or is the DMZ an aborted plan for an extranet? If the internal users are trusted then the only catch with moving it in is that someday the original project that put it in the DMZ might come back to life. Bad politically. If the internal users are not trusted then how is the database server protected? (Maybe the mountain should come to Mohamed - move the DB server into the same, or a second, DMZ. Personally, I like multiport NICS and keepig the Web server isolated.) Adam
-----Original Message----- From: Bennett Todd [SMTP:bet () mordor net] Sent: Wednesday, December 02, 1998 5:07 PM To: Kevin Tyrrell Cc: Firewall Wizards Subject: Re: Web server inside the firewall I agree with the comments I've seen others make on this thread (in short: Don't Do It). Just wanted to add one little note: 1998-11-30-14:34:13 Kevin Tyrrell:I have been getting pressure lately to have a web server moved from theDMZto behind the firewall. The reasoning is this will make it easier toaccessdatabases on our internal network.Yup. The idea of the firewall is to prevent access to goo on your internal network, from the outside; the people who are applying this pressure are saying they want you to remove the firewall. A web server is very, very hard to secure, since it offers in general the richest and most flexible service offering of the standard types of servers. There's a very good chance your server has lethal holes in it now, so that it can be burgled from the outside. Move it inside the firewall leaving a hole behind it, and burgling your web server will constitute violating your security perimeter, cutting past the firewall. If you can't block this, then I'd recommend finding a new job, and in your exit interview encouraging whoever picks things up to just remove the firewall, since it's not going to be protecting your internal network any more. Publicly-visible web servers belong out in the DMZ. Data they need to interact with belongs out on the DMZ. Imports and exports need to go through outbound-only encrypted tunnels (e.g. ssh) originated from the inside. If you need to gather high-security data (e.g. CC #s on an e-commerce site) have the web server immediately pass them on to a high-security drop box out in the DMZ, then have a periodic polling process from the inside pick them up and do your e-commerce things to them, and send order tracking status info back out to the public server. -Bennett
Current thread:
- Web server inside the firewall Kevin Tyrrell (Dec 01)
- Re: Web server inside the firewall Perry E. Metzger (Dec 02)
- Re: Web server inside the firewall Arian Hormozi (Dec 03)
- Re: Web server inside the firewall Steve George (Dec 02)
- Re: Web server inside the firewall Bennett Todd (Dec 03)
- <Possible follow-ups>
- Re: Web server inside the firewall Bob Acosta (Dec 02)
- RE: Web server inside the firewall Shivdasani, Meenoo (Dec 03)
- Re: Web server inside the firewall James Conley (Dec 03)
- RE: Web server inside the firewall Readwin, Neil (Dec 04)
- RE: Web server inside the firewall Safier, Adam (GEIS) (Dec 04)
- RE: Web server inside the firewall tyrrell (Dec 07)
- Re: Web server inside the firewall Bennett Todd (Dec 08)
- RE: Web server inside the firewall tyrrell (Dec 07)
- Re: Web server inside the firewall Perry E. Metzger (Dec 02)