Firewall Wizards mailing list archives
RE: NAT
From: Tommy Ward <tommy () securify com>
Date: Wed, 28 Jul 1999 10:07:37 -0700
At 11:45 AM 7/27/99 -0400, you wrote:
...snip... We are going to put a public web server behind the firewall.Why? This should all be true. Again, my only question remains "why do you want to put a public webserver inside your firewall?" Other than that, it all seems like it should work.
Depending on the firewall used, the web server application and platform used, and the skills of the people doing the implementation, it may be easier to protect the web server by network controls (i.e. firewall) than by hardening the web server. A good example of a difficult to button down web server would be IIS, obviously on NT. It makes sense to me to restrict public access to all of the NBT ports. Really, I'd just want to allow access to for HTTP and HTTPS, if those are both used. Sean is correct in that putting a public access server on the trusted network inside the firewall is not a good idea. If this server gets compromised, you don't want it to be on the inside of the firewall where the attacker can easily get to your private network resources. That is why we have service networks. I believe all of the commercial firewalls support at least a 3rd. interface, and of course if you are building your own you just need to define this interface with a restricted set of filters. On a high volume site a dual-homed firewall approach may not support the traffic, but if the internet access is a T1 or two, any high end intel box should work. ...Tommy