I probably won't be the only person to respond to the question by
Jean-Luc CHARDON <jlc @
adnt .
fr>:
>A WWW service is to be established on a UNIX server which will provide info to
>remote users. All available data is for general public (no restricted data)
>and the server can be dedicated to www service.
>I have, at least, two solutions :
>A) establish the service on a sacrificial host in the screened subnet
>B) establish the service on an internal host and use the proxy http-gw
> to forward clients calls to the server.
Ask yourself what happens if the Web software contains a bug and
allows an attacker to penetrate the system (after all, you're
asking a security mailing list, eh?).
In A) you've lost your sacrificial host and the attacker is still
outside the protective perimeter established with your firewall.
In B) the attacker is inside the protective perimeter established with
your firewall. This is not a good thing.
A third option is to host it on a system with mandatory protections
like Sidewinder or something with military style security labels. In
a dual homed configuration you could administer from one side, connect
the other to the Internet, and use the mandatory protection to keep
Internet attackers from touching the inside network.
Rick.
smith @
sctc .
com secure computing corporation
|
|
