RE: NAT

[Tommy Ward <tommy () securify com>]

At 11:45 AM 7/27/99 -0400, you wrote:
> > ...snip... We are going to put a public web 
> > server behind the
> > firewall.
>
> Why?
>
>
> This should all be true.  Again, my only question remains "why do you want
> to put a public webserver inside your firewall?"  Other than that, it all
> seems like it should work.

Depending on the firewall used, the web server application and platform
used, and the skills of the people doing the implementation, it may be
easier to protect the web server by network controls (i.e. firewall) than
by hardening the web server.  A good example of a difficult to button
down web server would be IIS, obviously on NT.  It makes sense to
me to restrict public access to all of the NBT ports.  Really, I'd just
want to allow access to for HTTP and HTTPS, if those are both
used.

Sean is correct in that putting a public access server
on the trusted network inside the firewall is not a good idea. If this
server gets compromised, you don't want it to be on the inside of
the firewall where the attacker can easily get to your private network
resources.   That is why we have service networks. I believe all of 
the commercial firewalls support at least a 3rd. interface, and of
course if you are building your own you just need to define this
interface with a restricted set of filters.  On a high volume site
a dual-homed firewall approach may not support the traffic, but
if the internet access is a T1 or two, any high end intel box should
work.

...Tommy