Firewall Wizards mailing list archives

Re: Web server inside the firewall

From: Steve George <steve () po i-way co uk>
Date: Wed, 2 Dec 1998 09:59:37 GMT

Hi,

I'm sure someone has replied by now but anyway......
1)  Try Gauntlet-users () rmsbus com list since I am sure there will be
people who hjave done this.
2)  For implementation place a HTTP proxy on the external interface
which is only mapped to the IP of the web server.  So people will connect
to the external interface of the FW but the content will be from the web
server.
3)  Pros & Cons:
    - This is an horrifically bad idea.  Your current set-up sounds
reasonably easy to secure as it's deny everything incoming, particularly
if you've disabled inbound access to the FW IP at the external border
router for belts and braces.  With the new
setup you will have incoming traffic through the FW so will need to be
100% sure the configuration is secure.  Additionally, you will need to
make sure the web server is secure ie CGI's, databases etc.  I'll show my
personal bias here and say that it sounds extremely unlikely that IIS &
NT4 can be made secure.  In essense
you will be further complicating your trust relationships and once a
cracker is within the LAN s/he can use the trust relationships to fully
compromise it.

If you require database access for the web site then it would probably be
better to use a proxy through the FW.  Gauntlet comes with a number of
these.  You should probably consider an encrypted authenticated tunnel
between the internal databse and the DMZ web server - depending on the
security requirements for your site.  One other option, if the access to
the database is only read, would be to ftp a copy of the dbase onto the
web server at various times of the day.

Hope this helps,

Steve


---Reply to mail from Kevin Tyrrell about Web server inside the firewall

We are running a Gauntlet 4.1 firewall. We allow FTP and HTTP originating from
the inside. We have also created a POP3 plug from inside to a local ISP. We
don't allow any traffic originating from the outside.

I have been getting pressure lately to have a web server moved from the DMZ to
behind the firewall. The reasoning is this will make it easier to access
databases on our internal network. 

The web server is IIS 4 on NT 4.0+SP3 with FrontPage extensions. The firewall
is in its own subnet. What ports need to be opened to make this work? 

What do people feel about this type of configuration. Pros and Cons?

Thanks,

Kevin Tyrrell


---End reply

Current thread:

Web server inside the firewall Kevin Tyrrell (Dec 01)
- Re: Web server inside the firewall Perry E. Metzger (Dec 02)
  - Re: Web server inside the firewall Arian Hormozi (Dec 03)
- Re: Web server inside the firewall Steve George (Dec 02)
- Re: Web server inside the firewall Bennett Todd (Dec 03)
- <Possible follow-ups>
- Re: Web server inside the firewall Bob Acosta (Dec 02)
- RE: Web server inside the firewall Shivdasani, Meenoo (Dec 03)
- Re: Web server inside the firewall James Conley (Dec 03)
- RE: Web server inside the firewall Readwin, Neil (Dec 04)
- RE: Web server inside the firewall Safier, Adam (GEIS) (Dec 04)
  - RE: Web server inside the firewall tyrrell (Dec 07)
    - Re: Web server inside the firewall Bennett Todd (Dec 08)