Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: web to db access [was RE: ]

From: Kjell Wooding <kwooding () codetalker com>
Date: Mon, 29 Jun 1998 15:18:45 -0600
fair comment re local user.  but the only way someone could get 
to be a "local user" on the web server would be if they had defeated
the firewall.  if they've done this then (presuambly) they could also 
just go straight into the internal lan since this is also connected 
to the firewall.

(attempted ascii diagram follows...)

public internet        ----    firewall        -----   web server
                            |               |
                      <  internal systems on lan  >



Technically, your DMZ hosts (like the web server) are not really "behind"
your firewall.
By their very definition, these hosts are exposed in some manner.
I presume, by your picture, that your Firewall is providing some filtering
to your DMZ hosts.
(Access is permitted to the Web Server, but only to port 80, for example.)

With a suitable Webserver exploit, there is no need to defeat the firewall
to compromise the web server.
GET /cgi-bin/phf?... is a perfectly legitimate HTTP transaction. Successful
CGI exploits
are in effect "local users", since the commands will execute locally.

The purpose for putting your web server (or any other bastion host) in the
DMZ is to isolate it from your internal network. In this way,  a compromise
of your web server will NOT represent a compromise of your internal LAN. 


is there any real difference between allowing (for example)
smtp into the internal lan (via the firewall) and allowing 
(in this case) http into the web server.  i guess there is in
so far as the http could then generate action on the web
server (cgi or similar).  so it comes down to the security
on & capabilities of,  the web server/cgi/scripts?


I would not recommend allowing ANY connections initiated from "outside" in
through your firewall.
It is much safer to put all exposed hosts (SMTP, HTTP, FTP) in the DMZ and
allow only access
initiated from "inside" through the firewall. Outsider-initiated
connections are allowed only to the DMZ,
so a compromise there will not expose your internal network (though it may
expose the other DMZ machines).

-kj


--
Kjell Wooding <kwooding () codetalker com>
Codetalker Communications, Inc.

For the latest Infosec News, see http://www.codetalker.com/
Previous By Date Next
Previous By Thread Next

Current thread: