Firewall Wizards mailing list archives

Why is this secure??

From: "Steve Meeters" <meeters () excite com>
Date: Tue, 23 Nov 1999 16:15:51 PST

I'm not a security expert but have been asked to find a way to allow
customers on the Internet to look up parts information on a server behind
our firewall. The server has a lot of business applications on it and can't
be put in front of the firewall. We are using a Gauntlet firewall. 

I have been reading and following discussions on this list for a while and
have come up with a plan to put an external web server on the third leg of
the firewall and have customers go to this web server, fill out a request
form and submit it. Using cgi scripting, the web server will send the
request through the firewall to the internal server which will then send the
requested information back to the web server, which will forward it to the
customer. 

Like I said, I'm not an expert at this and have come up with this plan based
on what I've read here and in some books. What I need to know is why is this
more secure than letting Internet traffic through the firewall directly to a
web server on this internal system? Putting up an external server is going
to cost more, we'll need another system, web software, and another interface
for the firewall. 

What threats am I specifically opening our network up to by creating a rule
that allows all traffic to the internal server? I read this is a bad idea
but why can't the firewall protect against this? Assume for the sake of
argument the firewall is secure.

What protection does this type firewall still provide to our network if this
rule is in place? At what OSI levels?

In my plan a rule will be created that will only allow traffic coming from
the external web server to pass through the firewall to the internal server.
This narrows the field from everyone on the Internet to just the one server.


How does this help secure the internal network?

If the external server is compromised doesn't the attacker now have a open
path to the internal server, the same as if the external server wasn't there
at all?

I know these questions sound elementary to you but I drew the short straw on
this one. I think I am heading towards a relatively secure solution, but I
need to justify the $$$.

Thanks for your help

Steve Meeters
meeters () excite com




________________________________________________________________
Get FREE voicemail, fax and email at http://voicemail.excite.com
Talk online at http://voicechat.excite.com

Current thread:

Why is this secure?? Steve Meeters (Nov 24)
- Re: Why is this secure?? Lars Kronfält (Nov 28)
- Re: Why is this secure?? Frank Heinzius (Nov 29)
- Re: Why is this secure?? chuck (Nov 29)
- Re: Why is this secure?? Mikael Olsson (Nov 29)