RE: secure host or firewall

["Biggerstaff, Craig T" <Craig.T.Biggerstaff () USAHQ UnitedSpaceAlliance com>]

If you secure the web and mail host, you're limiting the avenues of attack
*to that host only* to attacks against the OS kernel and the daemons that
are listening on the desired ports.  But you're not doing anything to secure
any other host on your network.

If you use a firewall with your web and mail host behind it, then you have
the same avenues of attack to that host, and you have some temporary
additional protection for the internal network.  But, if an attacker
compromises the one host, the attacker then has full access to the rest of
your internal network.

The best way is to use a firewall with your web and mail host outside it, so
that if it is compromised, the firewall still protects your internal
network.  This can be done with a leftover Pentium and freely available
tools for very little material cost, so lack of funding is not much
justification for leaving your internal network bare to the Internet.


-- Craig Biggerstaff
craig () blkbox com

> ----------
> From:         Neil Ratzlaff[SMTP:Neil.Ratzlaff () ucop edu]
> Sent:         Thursday, December 10, 1998 4:37 PM
> To:   firewall-wizards () nfr net
> Subject:      secure host or firewall
>
> We have a machine that is used as a public web server, mail server, and a
> few more things.  Am I better off securing the host by only listening to
> the desired ports, or using a firewall to allow only those ports through
> to
> the host?  I know the obvious answer is both, but what are the pros and
> cons of one versus the other if I can do only one?
>
> Thanks for any advice

<<application/ms-tnef>>