Re: New one: Securing an HTTP server

[cschieke () advsys com (Chad Schieken)]

If I were you I might do something like this:

User---> Netscape Proxy (in "reverse" mode) ----> Cisco Pix --->Router--->
corporate http server


The netscape proxy supports a feature that will allow the proxy to act
like it's the corporate webserver ( but under a different name). So
this is preferable to using an outside webserver, 'cuase this means
mgmt is kept to a minimum. For performance make use of the netscape
proxy cache (on fast disks, striped). For added security you could use
SSL at anypoint:

User --ssl-->  proxy ---ssl----> corporate http
user --ssl-->  proxy ---http---> corporate http
User --http->  proxy ---ssl----> corporate http

Make sure the Cisco PIX is doing NAT (no reason to expose internal
network routing information. ) also not sure what you mean by "private
networlk"? The link from the ISP to your company?  

later...
chad



> From: Firewalls <Firewalls () exchange ware net>
> To: firewall-wizards () nfr net
> Subject: New one: Securing an HTTP server
> Date: Wed, 2 Sep 1998 11:29:08 -0700 
>
> Turns out the ftp is out and HTTP is in. 
>
> Basically we want to server confidential documents to end user internet
> customers.
>
> SSL encryption will be used, however we need to pull the documents off a
> "server" inside
> our corporate network. 
>
> I'd like recommendations on the "best way" to serve these files without
> exposing the inside
> server.
>
> Here's a simple drawing of what we are considering:
>
> User ----> Public HTTP Server (colocation provider)----> Private Network
> ---> Cisco PIX ---> Corporate HTTP Server
>
> Specifically I'm looking for recommendations on the proxy code for the
> public server, Unix or NT is acceptable.
>
> TIA,