|
Subject: |
Re[2]: Do people host WWW servers behind firewalls? |
|
From: |
Dallas N Bishoff <Dallas .
N .
Bishoff @
faa .
dot .
gov> |
|
Date: |
11 Jun 1997 11:29:41 -0400 |
|
To: |
mike @
isi .
net (Return requested), IML-Firewalls @
vnw .
com (Return requested), lazar @
netevolve .
com (Return requested) |
|
Cc: |
Firewalls @
GreatCircle .
COM (Return requested) |
|
Alternate-recipient: |
Allowed |
|
Conversion: |
Allowed |
|
Disclose-recipients: |
Prohibited |
|
Original-encoded-information-types: |
IA5-Text |
|
X400-content-type: |
P2-1988 ( 22 ) |
|
X400-mts-identifier: |
[/c=US/admd=ATTMAIL/prmd=gov+dot/; 04256339EC46501E-MTAdot1] |
|
X400-originator: |
Dallas .
N .
Bishoff @
faa .
dot .
gov |
|
X400-received: |
by mta MTAdot1 in /c=US/admd=ATTMAIL/prmd=gov+dot/; converted ( IA5-Text); Relayed; 11 Jun 1997 11:29:41 -0400 |
|
X400-received: |
by /c=US/admd=ATTMAIL/prmd=gov+dot/; converted ( IA5-Text); Relayed; 11 Jun 1997 11:29:41 -0400 |
|
X400-recipients: |
non-disclosure; |
Greetings:
Think about the following....
Most ISP connections are the bottleneck in performance. A properly
configured box (NIC/RAM/HD) is not a problem...RAM being very
important for a firewall.
If you install a 3rd NIC into your firewall and treat it as a virtual
circuit inside your DMZ, you can write the following type of rule.
- Allow any (source)
- Web Server IP (destination)
- Allowed Services (may only be HTTP on port 80, disallow all else)
The firewall should only allow access to your website via HTTP, so any
mistakes you made in configuring security on your server would be very
difficult to exploit....unless you did something that allows an HTTP
exploit to occur.
YES..people really do put their web servers behind Firewalls, and yes
it can be a good idea.
Regards!!!
Dallas N. Bishoff
MCP - NT & Exchange
Certified CheckPoint Security Engineer (CCSE)
______________________________ Reply Separator _________________________________
Subject: Re: Do people host WWW servers behind firewalls?
Author: lazar @
netevolve .
com at Internet
Date: 6/5/97 1:06 AM
At 05:35 PM 6/4/97 -0700, Mike Hedlund wrote:
>
>
>On Wed, 4 Jun 1997, zzIML Firewalls wrote:
>
>> This has been an ongoing planning debate for us... does the potential
>> latency and overhead of a firewall potentially point toward putting
>> high-access high-performance WWW servers on the net without a firewall?
>> Is there a true trade-off of "security vs. performance"?
>>
>
>A firewall doesnt necessarily mean your secure. Carefully securing your
>machine(s) at a host level is a good way to start. Its amazing how many
>large sites out there dont do basic audits of their own sites. IE;
>disabling all nonessential services, etc. The more possible entry points
>you eliminate for an intruder, the harder it will be for them to get in.
>And by making it more difficult to get in, hopefully they have to do
>something which you will notice.
>
>> Presume that the WWW servers are at a co-location ISP site and don't
>> have any "critical data" on them. They are mostly publish sites...
>>
>
>I think for most organizations, who put money into developing a site on
>the net, be it web/ftp/chat whatever, have a vested interest in keeping it
>secure. Not because they are worried about people seeing data they
>shouldnt see, but because of the publicity you will get after being
>hacked.. i could see it now.. some CEO of a big company turns on CNN to
>hear a story about how a 12 yearold kid hacked his companys website
>from school and put up a banner saying 'Im g0d'. It doesnt matter if the
>kid got anything important.
>
That is a very good point. For those who run web servers on Solaris boxes,
there is a very good FAQ on how to secure it at
http://www.sun.com/sunworldonline/common/security-faq.html. There a quite
a few services that can be turned off, and quite a few extras that aren't
needed.
|
|
