WebApp Sec mailing list archives

Re: What is more secure?

From: Alvin Oga <alvin.sec () Virtual Linux-Sec net>
Date: Sun, 27 Feb 2005 14:55:22 -0800


hi ya tomas

On Thu, Feb 24, 2005 at 11:05:08AM +0200, Tomas wrote:


I'd like to ask you, as guys who know a lot of about security, this
question: what is more secure when dealing with web servers and public ips.
Is it more secure to give all of your public ips directly to a web server
and filter traffic with firewall, or is it better to give all public ips to
a firewall and only redirect http and https ports to internal web server?


which is more secure ... neither ... it depends on the rest of the
system and network config  and how you use the servers

some people's firewall is uselessly insecure, since it allows all the
traffic from everywhere/anywhere into the servers its trying to protect

if your firewall is say PIX or checkpoint, it'd probably be mroe secure
if it's properly configured ( less things it can do wrong, other than
you turining everything to be allowed )

if the firewall is linux or *bsd based, it'd probably be just as insecure
as your linux based webserver, though *bsd fw will be more secure than linux
using the same set of firewall rules

the problem is you will need to harden your webserver and linux-based firewall
and if your customers are ecommerce websites, you should hire professional
security folks with liability insurance to fix the problems per your budget
and specs 

if the website can go down for a day or two and no loss of personal data,
than it doesnt matter if it gets hacked, just need to learn why/how they got in

lots of issue .. there is no clear answer of which is more secure

a system is more secure if it is secure by itself and does NOT depend on
a firewall .. and you have data stored ( backedup ) at least 3 other places

a network is more secure if you assume that the hacker/cracker is inside
your network, in the firewall, and you protect your remaining servers
and protect your data, knowing the cracker is inside your network

how you make things secure, depends on how you allow data to be moved
from one machine to another

c ya
alvin

Current thread:

What is more secure? Tomas (Feb 28)
- Re: What is more secure? blackhat (Feb 28)
- Re: What is more secure? Alvin Oga (Feb 28)
  - RE: What is more secure? Tomas (Feb 28)
    - Re: What is more secure? Harry de Grote (Mar 01)
    - Re: What is more secure? Devdas Bhagat (Mar 06)
    - Re: What is more secure? Chris Thorp (Mar 01)