Firewall Wizards mailing list archives
Why is this secure??
From: "Steve Meeters" <meeters () excite com>
Date: Tue, 23 Nov 1999 16:15:51 PST
I'm not a security expert but have been asked to find a way to allow customers on the Internet to look up parts information on a server behind our firewall. The server has a lot of business applications on it and can't be put in front of the firewall. We are using a Gauntlet firewall. I have been reading and following discussions on this list for a while and have come up with a plan to put an external web server on the third leg of the firewall and have customers go to this web server, fill out a request form and submit it. Using cgi scripting, the web server will send the request through the firewall to the internal server which will then send the requested information back to the web server, which will forward it to the customer. Like I said, I'm not an expert at this and have come up with this plan based on what I've read here and in some books. What I need to know is why is this more secure than letting Internet traffic through the firewall directly to a web server on this internal system? Putting up an external server is going to cost more, we'll need another system, web software, and another interface for the firewall. What threats am I specifically opening our network up to by creating a rule that allows all traffic to the internal server? I read this is a bad idea but why can't the firewall protect against this? Assume for the sake of argument the firewall is secure. What protection does this type firewall still provide to our network if this rule is in place? At what OSI levels? In my plan a rule will be created that will only allow traffic coming from the external web server to pass through the firewall to the internal server. This narrows the field from everyone on the Internet to just the one server. How does this help secure the internal network? If the external server is compromised doesn't the attacker now have a open path to the internal server, the same as if the external server wasn't there at all? I know these questions sound elementary to you but I drew the short straw on this one. I think I am heading towards a relatively secure solution, but I need to justify the $$$. Thanks for your help Steve Meeters meeters () excite com ________________________________________________________________ Get FREE voicemail, fax and email at http://voicemail.excite.com Talk online at http://voicechat.excite.com
Current thread:
- Why is this secure?? Steve Meeters (Nov 24)
- Re: Why is this secure?? Lars Kronfält (Nov 28)
- Re: Why is this secure?? Frank Heinzius (Nov 29)
- Re: Why is this secure?? chuck (Nov 29)
- Re: Why is this secure?? Mikael Olsson (Nov 29)