Firewall Wizards mailing list archives
Re: Web server inside the firewall
From: Steve George <steve () po i-way co uk>
Date: Wed, 2 Dec 1998 09:59:37 GMT
Hi, I'm sure someone has replied by now but anyway...... 1) Try Gauntlet-users () rmsbus com list since I am sure there will be people who hjave done this. 2) For implementation place a HTTP proxy on the external interface which is only mapped to the IP of the web server. So people will connect to the external interface of the FW but the content will be from the web server. 3) Pros & Cons: - This is an horrifically bad idea. Your current set-up sounds reasonably easy to secure as it's deny everything incoming, particularly if you've disabled inbound access to the FW IP at the external border router for belts and braces. With the new setup you will have incoming traffic through the FW so will need to be 100% sure the configuration is secure. Additionally, you will need to make sure the web server is secure ie CGI's, databases etc. I'll show my personal bias here and say that it sounds extremely unlikely that IIS & NT4 can be made secure. In essense you will be further complicating your trust relationships and once a cracker is within the LAN s/he can use the trust relationships to fully compromise it. If you require database access for the web site then it would probably be better to use a proxy through the FW. Gauntlet comes with a number of these. You should probably consider an encrypted authenticated tunnel between the internal databse and the DMZ web server - depending on the security requirements for your site. One other option, if the access to the database is only read, would be to ftp a copy of the dbase onto the web server at various times of the day. Hope this helps, Steve ---Reply to mail from Kevin Tyrrell about Web server inside the firewall
We are running a Gauntlet 4.1 firewall. We allow FTP and HTTP originating from the inside. We have also created a POP3 plug from inside to a local ISP. We don't allow any traffic originating from the outside. I have been getting pressure lately to have a web server moved from the DMZ to behind the firewall. The reasoning is this will make it easier to access databases on our internal network. The web server is IIS 4 on NT 4.0+SP3 with FrontPage extensions. The firewall is in its own subnet. What ports need to be opened to make this work? What do people feel about this type of configuration. Pros and Cons? Thanks, Kevin Tyrrell
---End reply
Current thread:
- Web server inside the firewall Kevin Tyrrell (Dec 01)
- Re: Web server inside the firewall Perry E. Metzger (Dec 02)
- Re: Web server inside the firewall Arian Hormozi (Dec 03)
- Re: Web server inside the firewall Steve George (Dec 02)
- Re: Web server inside the firewall Bennett Todd (Dec 03)
- <Possible follow-ups>
- Re: Web server inside the firewall Bob Acosta (Dec 02)
- RE: Web server inside the firewall Shivdasani, Meenoo (Dec 03)
- Re: Web server inside the firewall James Conley (Dec 03)
- RE: Web server inside the firewall Readwin, Neil (Dec 04)
- RE: Web server inside the firewall Safier, Adam (GEIS) (Dec 04)
- RE: Web server inside the firewall tyrrell (Dec 07)
- Re: Web server inside the firewall Bennett Todd (Dec 08)
- RE: Web server inside the firewall tyrrell (Dec 07)
- Re: Web server inside the firewall Perry E. Metzger (Dec 02)