> I don't think it would be any problem for my organization to set up its Web server in the DMZ or at least on
> the Internet side of the firewall. However, we would also like our users to be able to access the Web. It
> seems that common wisdom says that the only really safe way to do this is to run the client off of a box in the
> DMZ or the Net side of the firewall. My question is is it then safe to run an x client web browser off of the
> box onto the users desktop, or should I limit them to using some kind of text browser. Does X along with
> Web clients open up possibilities of attack. Seems to me that the damage would be limited to the DMZ
> machine which we should assure ourselves is an acceptable risk.
The problem as I understand it is that we cannot allow X protocols to pass
through the fire-wall.
The nature of X is that it sends all key strokes/ screen updates from
server to client and client to server in TCP packets. If someone on the
internet can inject bogus packets into the net, they can update your screen
or emulate key-presses (not a great idea if your X session is logged in as
root).
If your WEB server is in a DMZ between two routers and the external one is filtering out
X packets then I believe that you should be safe, especially if the only X packets
that you let through the internal router come from your WEB server.
I won't bother trying to discuss other forms of DMZ as It's the two router
senario that I'm more familiar with, besides which you can explain what you have set up
if you need to.
Anyone else got any thoughts on this ?
-------------------------------------------------------------------------
Paul Crossley (paul @
toploguk .
co .
uk)
Senior Consultant SCO ACE
TopLog Limited
TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY
Phone (01628) 819444 Fax (01628) 819356
-------------------------------------------------------------------------
|
|
