Firewall Wizards mailing list archives
Re: Web server inside the firewall
From: "James Conley" <conley () enteka com>
Date: Wed, 2 Dec 1998 14:05:20 -0800
I'd suggest going to a three-legged firewall and put it on the "gray" leg. I do think you should be able to log attacks directed toward your web server since while it is the most dangerous machine on the network (agreed), it is also one of the most important to keep running. If you can't do that I'd follow this: If you don't store anything important or confidential on your web server, I would try to keep it outside. If you store anything important (and especially if you do any sort of credit card storage) then move it inside. -- James Conley Enteka - Enterprise Technology Services www.enteka.com -----Original Message----- From: Perry E. Metzger <perry () piermont com> To: Kevin Tyrrell <tyrrell () i2k com> Cc: Firewall Wizards <firewall-wizards () nfr net> Date: Wednesday, December 02, 1998 1:49 PM Subject: Re: Web server inside the firewall
"Kevin Tyrrell" writes:I have been getting pressure lately to have a web server moved from the DMZ to behind the firewall. The reasoning is this will make it easier to access databases on our internal network.[...]What do people feel about this type of configuration. Pros and Cons?I'm always stunned by such "reasoning". The most dangerous machine on your network is your web server. It is probably the easiest machine on the network to break in to -- bugs in CGI and similar stuff are discovered at a breathtaking rate. If the function of the firewall is to protect you from the outside, then bringing the web server inside will eliminate the point of the firewall entirely. Oh, and by the way: deciding to "fix" this by putting the machine on the outside of the network and then giving it full access to your database (say, via SQL over the net) is equally silly, since the bad guys will then have all the sorts of access the web server has as soon as they break in (which they will one day). Perry
Current thread:
- Web server inside the firewall Kevin Tyrrell (Dec 01)
- Re: Web server inside the firewall Perry E. Metzger (Dec 02)
- Re: Web server inside the firewall Arian Hormozi (Dec 03)
- Re: Web server inside the firewall Steve George (Dec 02)
- Re: Web server inside the firewall Bennett Todd (Dec 03)
- <Possible follow-ups>
- Re: Web server inside the firewall Bob Acosta (Dec 02)
- RE: Web server inside the firewall Shivdasani, Meenoo (Dec 03)
- Re: Web server inside the firewall James Conley (Dec 03)
- RE: Web server inside the firewall Readwin, Neil (Dec 04)
- RE: Web server inside the firewall Safier, Adam (GEIS) (Dec 04)
- RE: Web server inside the firewall tyrrell (Dec 07)
- Re: Web server inside the firewall Bennett Todd (Dec 08)
- RE: Web server inside the firewall tyrrell (Dec 07)
- Re: Web server inside the firewall Perry E. Metzger (Dec 02)