On Wed, 4 Jun 1997, zzIML Firewalls wrote:
> This has been an ongoing planning debate for us... does the potential
> latency and overhead of a firewall potentially point toward putting
> high-access high-performance WWW servers on the net without a firewall?
> Is there a true trade-off of "security vs. performance"?
A firewall doesnt necessarily mean your secure. Carefully securing your
machine(s) at a host level is a good way to start. Its amazing how many
large sites out there dont do basic audits of their own sites. IE;
disabling all nonessential services, etc. The more possible entry points
you eliminate for an intruder, the harder it will be for them to get in.
And by making it more difficult to get in, hopefully they have to do
something which you will notice.
> Presume that the WWW servers are at a co-location ISP site and don't
> have any "critical data" on them. They are mostly publish sites...
I think for most organizations, who put money into developing a site on
the net, be it web/ftp/chat whatever, have a vested interest in keeping it
secure. Not because they are worried about people seeing data they
shouldnt see, but because of the publicity you will get after being
hacked.. i could see it now.. some CEO of a big company turns on CNN to
hear a story about how a 12 yearold kid hacked his companys website
from school and put up a banner saying 'Im g0d'. It doesnt matter if the
kid got anything important.
> What is the norm for large sites, say 10MB connected sites or DS3 (45MB)
> connected sites... Are large public WWW servers typically "behind a
> firewall" or are they in the clear? Yahoo, Microsoft, Netscape, etc?
> I mean the large sites... 1,000,000/hits a day sites? What about
> 10,000,000/hits a day?
Most sites that large are not connected behind a single large pipe,
infact most are distributed up around the net, so it would be possible to
firewall their individual smaller sites. Altho not all sites do.