>I probably won't be the only person to respond to the question by
>Jean-Luc CHARDON <jlc @
adnt .
fr>:
>
>>A WWW service is to be established on a UNIX server which will provide info to
>>remote users. All available data is for general public (no restricted data)
>>and the server can be dedicated to www service.
>
>>I have, at least, two solutions :
>>A) establish the service on a sacrificial host in the screened subnet
>>B) establish the service on an internal host and use the proxy http-gw
>> to forward clients calls to the server.
>
>Ask yourself what happens if the Web software contains a bug and
>allows an attacker to penetrate the system (after all, you're
>asking a security mailing list, eh?).
>
>In A) you've lost your sacrificial host and the attacker is still
>outside the protective perimeter established with your firewall.
>
>In B) the attacker is inside the protective perimeter established with
>your firewall. This is not a good thing.
>
>A third option is to host it on a system with mandatory protections
>like Sidewinder or something with military style security labels. In
>a dual homed configuration you could administer from one side, connect
>the other to the Internet, and use the mandatory protection to keep
>Internet attackers from touching the inside network.
>
>Rick.
>smith @
sctc .
com secure computing corporation
>����
>����
>
I agree with the first two options that Rick mentioned. The third is
also OK with some restrictions. If the WWW service is on a MLS-type
system which offers significant protection mechanisms (like the
Sidewinder), then this would be a good thing. Please note that this
is only a recommendation of somewhere to place the WWW service and
*not* an endorsement of the Sidewinder by any means. In this role,
the Sidewinder is functioning as a secure O/S and *not* as a firewall.
With a couple of modifications (price and security), it could be a
pretty nice firewall - but it does have a couple of vulnerabilities
(many other vendors also share these vulnerabilities, so they aren't
alone).
If I may recommend a 4th alternative. Look at a firewall which supports
subnetting & put the WWW server on the isolated subnet (not on the inside).
A few of the advantages of this are:
1) Damage containment.
Assuming the worst case and a hacker is able to compromise the WWW
Server, there is nowhere for them to go. Seal off the connection,
initialize all disks, wipe the memory, restore your backups & fix
the problem.
2) The firewall can selectively permit/deny access to the Web Server
and for only those services that you select. (ie - anyone on the
outside can read the pages, but only certain people on the inside
can upload new web pages, files, etc.)
This gives you the added benefits of allowing only certain users
(on the inside, of course) to be able to upload new web pages or
files to be ftp'ed. You don't really want anyone to be able to
do this (a disgruntled employee could cause some real embarassment
by posting undesirable text/pictures on the web pages). Accesses
from the outside can also be limited. (Allow web browser access,
but deny telnet, ftp, etc. accesses from the outside & inside).
Hope this helps.
Best Regards,
Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800 - http://www.fortified.com/fortified
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
|
|
