> >
> > We are installing a Web Server that we want to give the world access to, but
> > are not sure of our security architecture yet. We are kicking around
> > several ideas including the idea of only allowing HTTP to pass through our
> > FIREWALL if it is destined for the Web server. We are considering doing
> > this by filtering on the Web Server's IP address and HTTP port number.
> >
> > What do you think? What are the residual risks?
> >
> > Alex .
Sharpe @
rssi .
com
> >
>
> It depends on what it's going to be used for. This type of question
> is somewhat subjective and likely to ignite a holy jihad of 'where
> to place the web server' banter. :-)
>
> - paul
>
Correct on the Holy Jihad war...;>)
My preference has been to place the Web Server on a screened subnet so that
I have yet another defense against it.
Internet
\
+ Router
\
---------- -------
| Internet | | WWW |
| Bastion | | FTP | Public Access
| Host | | etc |
---------- -------
| |
| |
----------------------------------------------------- Screened Subnet
|
|
----------
| Internal | Yet another Firewall
| Bastion |
----------
|
|
------------------------------------------------------------ Internal Backbone
-rg-
|
|
