Firewall Wizards mailing list archives

Re: medical records, web server, & stateful firewall vs packet filter

From: "Adam Greene" <maillist () webjogger net>
Date: Fri, 18 Nov 2005 09:38:40 -0500

Paul and Jeff,

Thanks to both of you for your responses, which I found very useful. Paul,
you're right of course that focusing on firewalls and packet filters will be
close to useless if there is no application-level security. And the DoS
concerns are secondary to preventing system compromise. In general what I'm
getting from the feedback which you and others have provided is that the DoS
issues really are secondary at this point.

thanks again,
Adam

----- Original Message ----- 
From: "Paul Melson" <pmelson () gmail com>
To: "'Adam Greene'" <maillist () webjogger net>;
<firewall-wizards () honor icsalabs com>
Sent: Thursday, November 10, 2005 4:35 PM
Subject: RE: [fw-wiz] medical records, web server, & stateful firewall vs
packet filter

-----Original Message-----
Subject: [fw-wiz] medical records, web server, & stateful firewall vs

packet

filter

My question at this point is: am I making a mistake by placing a

stateful

firewall between

the webserver and the Internet?  Maybe a simple packet filter would be

less prone to DoS

attacks. I could stick a Cisco 2800 there instead. I have always

believed

that a stateful

firewall device like a PIX or ASA 5500 would offer better overall

protection than a packet

filter (I need to limit access to the image and SQL servers too), but

some

feedback I've

received recently is causing me to question this assumption.


I think you're off-target to be worrying about DoS attacks over attacks

that

lead to the compromise of this system or disclosure of data contained

within

(especially because healthcare data is regulated/protected in many
countries).  I think you're also relying too heavily on the  web server

and

the web app to be secure, which they probably aren't.  And since the web

app

has access to the SQL database and the image files you're trying to

protect,

it's likely to be your soft spot.  Layer 3 filters are useful out front

and

between the front-end and back-end servers, but they're just a start.  You
need to look at application security either through app testing and
assurance or through some sort of protective reverse proxy.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection

System]


---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

medical records, web server, & stateful firewall vs packet filter Adam Greene (Nov 10)
- RE: medical records, web server, & stateful firewall vs packet filter Paul Melson (Nov 17)
  - Re: medical records, web server, & stateful firewall vs packet filter Adam Greene (Nov 22)