Firewall Wizards mailing list archives
RE: web to db access [was RE: ]
From: Kjell Wooding <kwooding () codetalker com>
Date: Mon, 29 Jun 1998 15:18:45 -0600
fair comment re local user. but the only way someone could get to be a "local user" on the web server would be if they had defeated the firewall. if they've done this then (presuambly) they could also just go straight into the internal lan since this is also connected to the firewall. (attempted ascii diagram follows...) public internet ---- firewall ----- web server | | < internal systems on lan >
Technically, your DMZ hosts (like the web server) are not really "behind" your firewall. By their very definition, these hosts are exposed in some manner. I presume, by your picture, that your Firewall is providing some filtering to your DMZ hosts. (Access is permitted to the Web Server, but only to port 80, for example.) With a suitable Webserver exploit, there is no need to defeat the firewall to compromise the web server. GET /cgi-bin/phf?... is a perfectly legitimate HTTP transaction. Successful CGI exploits are in effect "local users", since the commands will execute locally. The purpose for putting your web server (or any other bastion host) in the DMZ is to isolate it from your internal network. In this way, a compromise of your web server will NOT represent a compromise of your internal LAN.
is there any real difference between allowing (for example) smtp into the internal lan (via the firewall) and allowing (in this case) http into the web server. i guess there is in so far as the http could then generate action on the web server (cgi or similar). so it comes down to the security on & capabilities of, the web server/cgi/scripts?
I would not recommend allowing ANY connections initiated from "outside" in through your firewall. It is much safer to put all exposed hosts (SMTP, HTTP, FTP) in the DMZ and allow only access initiated from "inside" through the firewall. Outsider-initiated connections are allowed only to the DMZ, so a compromise there will not expose your internal network (though it may expose the other DMZ machines). -kj -- Kjell Wooding <kwooding () codetalker com> Codetalker Communications, Inc. For the latest Infosec News, see http://www.codetalker.com/
Current thread:
- web to db access [was RE: ] Mark Evans (DSLWLQ) (Jun 25)
- <Possible follow-ups>
- Re: web to db access [was RE: ] Kjell Wooding (Jun 26)
- web to db access [was RE: ] Mark Evans (DSLWLQ) (Jun 28)
- RE: web to db access [was RE: ] Kjell Wooding (Jun 29)