On Thu, 28 Mar 1996, Peter da Silva wrote:
> I'm sorry, I don't understand the relationship between my comment and your
> response. It reads like "I disagree" followed by agreement.
>
> Not CCing to the list because I'd rather figure out what you thought I said
> or meant before making with public comments.
>
OK, then let's take this step by step. Maybe I missed something.
Someone wrote:
> > > > Is putting your web server behind your firewall I wise thing to do?
And you responded:
> > > An *external* web server, no.
And I said:
> > I disagree. You can put your web server in the DMZ when that web
> > server has to interact with a database on the other side of the
> > internal firewall.
I am saying that you can put your web server behind the external
firewall and into the DMZ. I interpret the DMZ as being behind the
firewall. Sure we're allowing public access to it on a controlled
basis, but I do consider it behind the firewall.
Then I continued:
> > The internal firewall allows that one system (in
> > the DMZ) to connect to the database system via one TCP port (proxy).
> > Since everything behind the intenet firewall is RFC1597 numbered (I am
> > using a Cisco/NTI PIX) and the router is set to block those from the
> > internet side, I have no problems with this.
I am hoping to explain that if your web server has to access a database
that must be behind the firewall, then you make sure you controll access
at the internal firewall--making sure you apply all the necessary
controls.
In my mind (which could be warped! :-) the DMZ, being a controlled
access area, is behind the firewall. Essentially I am endorsing the
"classic" architechture of:
Intenet -- External Firewall -- (DMZ) -- Internal Firewall -- Comany Net
It's almost Friday and I need a break! I hope that cleared things up.
scott
--
scott barman DISCLAIMER: I speak to anyone who will listen,
scott @
disclosure .
com and I speak only for myself.
barman @
ix .
netcom .
com
Java: Sun's answer to the Unix Virus!
Follow-Ups:
References:
|
|
