> Our company is currently preparing to get out on the "web". We have
> started to interview ISP's and evaluate their services. We spoke with
> MCI yesterday and they offered us a package called "Webmaker" an all in
> one Firewall/Proxy server/Web server. I have researched this system (as
> much as I could find), and I looked through the archives of this list for
> information. They (MCI) say that the firewall is an Intel (nothing about
> that on NCSA sight). I don't have a warm fuzzy about this system. I was
> pretty much sold on Firewall-1 NT. I also think I can remember reading
> that it was not a good idea to have your web server and firewall sharing
> the same box. Is this true?
> Any help would be appreciated. The sooner the better.
Well I am sure that you have gotten plenty of information regarding your
request, but I will add mine to the fray. It is never a good idea to
combine your firewall/proxy/web server on one machine. Looking at your
request I have read between the lines and gathered that you (your
company) does not have a solid knowledge of what it takes to "get on the
web". Here are some things to think about:
1. Pick an OS that you are very familiar with. If one is not available
then I would suggest using a Unix based firewall, and NT or Unix for
your web and proxy work. I say this only because if you are not
familiar with either OS then I feel that Unix is a bit easier to secure.
The Unix box can also be a 486/586 machine and handle your connection
very well, whereas the NT box must be a Pentium grade machine.
2. Make sure the firewall is a separate entity that only handles
firewall tasks (ie. filtering and forwarding/routing). The less you
have on it the more secure it can be.
3. In the beginning have your webserver outside of your firewall.
This will allow for misconfigurations, or unsecure programs, that will
only effect that machine and not your entire network. You can move this
as you (your company) increases its' knowledge base.
4. Make a backup of the machine(s) before you put them on "the net".
This will allow you to just do a full restore of the system and not have
to worry about a hacker leaving a backdoor on your machine.
5. Do not underestimate the resources needed to perform this job, and
support your connection. Depending on your needs and user base this
could very well be a full-time position.
6. If you have the resources (ie. money) have a security audit done on
your site before you "announce it" to the public. This will allow you
to plug any holes that are found and possibly rework your configuration.
These are a few of the things to think about. If you have any other
questions feel free to e-mail the list or me directly. Good Luck.
Tim
|
|
