Re: Web server inside the firewall

["James Conley" <conley () enteka com>]

I'd suggest going to a three-legged firewall and put it on the "gray" leg.
I do think you should be able to log attacks directed toward your web server
since while it is the most dangerous machine on the network (agreed), it is
also one of the most important to keep running.

If you can't do that I'd follow this:

    If you don't store anything important or confidential on your web
server, I would try to keep it outside.  If you store anything important
(and especially if you do any sort of credit card storage) then move it
inside.

--
James Conley
Enteka - Enterprise Technology Services
www.enteka.com


-----Original Message-----
From: Perry E. Metzger <perry () piermont com>
To: Kevin Tyrrell <tyrrell () i2k com>
Cc: Firewall Wizards <firewall-wizards () nfr net>
Date: Wednesday, December 02, 1998 1:49 PM
Subject: Re: Web server inside the firewall


> "Kevin Tyrrell" writes:
> > I have been getting pressure lately to have a web server moved from the
> > DMZ to behind the firewall. The reasoning is this will make it easier to
> > access databases on our internal network.
> [...]
> > What do people feel about this type of configuration. Pros and Cons?
>
> I'm always stunned by such "reasoning".
>
> The most dangerous machine on your network is your web server. It is
> probably the easiest machine on the network to break in to -- bugs in
> CGI and similar stuff are discovered at a breathtaking rate.
>
> If the function of the firewall is to protect you from the outside,
> then bringing the web server inside will eliminate the point of the
> firewall entirely.
>
> Oh, and by the way: deciding to "fix" this by putting the machine on
> the outside of the network and then giving it full access to your
> database (say, via SQL over the net) is equally silly, since the bad
> guys will then have all the sorts of access the web server has as soon
> as they break in (which they will one day).
>
> Perry