RE: medical records, web server, & stateful firewall vs packet filter

["Paul Melson" <pmelson () gmail com>]

-----Original Message-----
Subject: [fw-wiz] medical records, web server, & stateful firewall vs packet
filter

> My question at this point is: am I making a mistake by placing a stateful
firewall between 
> the webserver and the Internet?  Maybe a simple packet filter would be
less prone to DoS 
> attacks. I could stick a Cisco 2800 there instead. I have always believed
that a stateful 
> firewall device like a PIX or ASA 5500 would offer better overall
protection than a packet 
> filter (I need to limit access to the image and SQL servers too), but some
feedback I've 
> received recently is causing me to question this assumption.

I think you're off-target to be worrying about DoS attacks over attacks that
lead to the compromise of this system or disclosure of data contained within
(especially because healthcare data is regulated/protected in many
countries).  I think you're also relying too heavily on the  web server and
the web app to be secure, which they probably aren't.  And since the web app
has access to the SQL database and the image files you're trying to protect,
it's likely to be your soft spot.  Layer 3 filters are useful out front and
between the front-end and back-end servers, but they're just a start.  You
need to look at application security either through app testing and
assurance or through some sort of protective reverse proxy.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards