Firewall Wizards mailing list archives
FW-1, HTTP access and strength of IIS security
From: "Briercheck, Scott" <brierchecks () msx upmc edu>
Date: Sun, 5 Sep 1999 16:28:38 -0400
I'm hoping to get a little advice. I'm setting up an IIS 4.0 website that has code to manage its own logins and user state (it doesn't just rely on NT directory security - you can have a "web" account on the site without having an NT account on the machine). The "web" account IDs and passwords are stored in a SQL 7.0 database that will also be behind the firewall. In front of the web site I'm planning on putting FW-1 running on Solaris. The firewall will only allow SHTTP to the IIS web server on port 443. I expect that it should look no different to the web user than before I put the firewall up. Other than SHTTP, nothing else will be allowed through. My first question is this: Is IIS + FW-1 sufficient security for sensitive information. I've been told by various security consultants that it is, but I'm starting to have reservations. I know that nothing can guarantee against a break-in, but is this a good choice - can I feel reasonably confident relying on the Firewall plus the IIS-supported login to be my primary mode of security (assuming MY code is good....is IIS 4.0 good enough)? I worry about buffer overflow attacks, and other types of hacks, since I will be allowing SHTTP through the firewall and right to the website. This means that I need to rely on IIS being robust enough. My second question is a followup to the first: Can I enhance the security by having the users be forced to log into FW-1 at the firewall before granting access to the website? The FW consultants and I discussed the idea of putting a RADIUS server (from Livingston software) into the security package. The Radius server would authenticate users at the Firewall (using their login ID stored inside the SQL 7.0 database). With this setup, not even SHTTP would be allowed past FW-1 unless the user first authenticates at the Firewall to gain a connection. The problem is that I'm being told this "firewall" login would have to be done in HTTP (plain text), and not SHTTP. I had hoped to have a single login for the users, but I do not want them sending their password in plain text. This means that I would need to add a one-time password scheme (secure-ID card ). If they successfully log into the firewall, then they have a second login at the IIS login screen to actually access the website. The third questions is: Has anyone implemented this type of "firewall" login using a Radius server (or something similar). Is there something out there that supports HTTPS for the firewall login. I would really rather not implement a secure ID card if I don't have to, as we will be dealing with many distributed users, so card management will be a pain. Thoughts or comments are appreciated. Thanks, Scott brierchecks () msx upmc edu
Current thread:
- FW-1, HTTP access and strength of IIS security Briercheck, Scott (Sep 07)
- RE: FW-1, HTTP access and strength of IIS security Thomas Crowe (Sep 07)
- RE: FW-1, HTTP access and strength of IIS security Siglite (Sep 08)
- RE: FW-1, HTTP access and strength of IIS security Thomas Crowe (Sep 07)