Re: Web server inside the firewall

[Arian Hormozi <arianh () webtrends com>]

        It never ceases to amaze me how many times network admins get pressured to compromise the security of the 
network because someone else thinks "it's too time consuming/complicated" to do something. If I were you I'd go on a 
tirade filled with all sorts of buzzwords and doom and gloom about the horrible security risks and how you could end up 
as an IBM commercial or something. Fear is always a great motivator for !clue people to leave you be. :)

-Arian
 

At 07:17 PM 12/1/98 -0500, you wrote:
> "Kevin Tyrrell" writes:
> > I have been getting pressure lately to have a web server moved from the
> > DMZ to behind the firewall. The reasoning is this will make it easier to
> > access databases on our internal network.
> [...]
> > What do people feel about this type of configuration. Pros and Cons?
>
> I'm always stunned by such "reasoning".
>
> The most dangerous machine on your network is your web server. It is
> probably the easiest machine on the network to break in to -- bugs in
> CGI and similar stuff are discovered at a breathtaking rate.
>
> If the function of the firewall is to protect you from the outside,
> then bringing the web server inside will eliminate the point of the
> firewall entirely.
>
> Oh, and by the way: deciding to "fix" this by putting the machine on
> the outside of the network and then giving it full access to your
> database (say, via SQL over the net) is equally silly, since the bad
> guys will then have all the sorts of access the web server has as soon 
> as they break in (which they will one day).
>
> Perry