Firewall Wizards mailing list archives
Re: medical records, web server, & stateful firewall vs packet filter
From: "Adam Greene" <maillist () webjogger net>
Date: Fri, 18 Nov 2005 09:38:40 -0500
Paul and Jeff, Thanks to both of you for your responses, which I found very useful. Paul, you're right of course that focusing on firewalls and packet filters will be close to useless if there is no application-level security. And the DoS concerns are secondary to preventing system compromise. In general what I'm getting from the feedback which you and others have provided is that the DoS issues really are secondary at this point. thanks again, Adam ----- Original Message ----- From: "Paul Melson" <pmelson () gmail com> To: "'Adam Greene'" <maillist () webjogger net>; <firewall-wizards () honor icsalabs com> Sent: Thursday, November 10, 2005 4:35 PM Subject: RE: [fw-wiz] medical records, web server, & stateful firewall vs packet filter
-----Original Message----- Subject: [fw-wiz] medical records, web server, & stateful firewall vs
packet
filterMy question at this point is: am I making a mistake by placing a
stateful
firewall betweenthe webserver and the Internet? Maybe a simple packet filter would beless prone to DoSattacks. I could stick a Cisco 2800 there instead. I have always
believed
that a statefulfirewall device like a PIX or ASA 5500 would offer better overallprotection than a packetfilter (I need to limit access to the image and SQL servers too), but
some
feedback I'vereceived recently is causing me to question this assumption.I think you're off-target to be worrying about DoS attacks over attacks
that
lead to the compromise of this system or disclosure of data contained
within
(especially because healthcare data is regulated/protected in many countries). I think you're also relying too heavily on the web server
and
the web app to be secure, which they probably aren't. And since the web
app
has access to the SQL database and the image files you're trying to
protect,
it's likely to be your soft spot. Layer 3 filters are useful out front
and
between the front-end and back-end servers, but they're just a start. You need to look at application security either through app testing and assurance or through some sort of protective reverse proxy. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards --- [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
System]
--- [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System] _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- medical records, web server, & stateful firewall vs packet filter Adam Greene (Nov 10)
- RE: medical records, web server, & stateful firewall vs packet filter Paul Melson (Nov 17)
- Re: medical records, web server, & stateful firewall vs packet filter Adam Greene (Nov 22)
- RE: medical records, web server, & stateful firewall vs packet filter Paul Melson (Nov 17)