RE: [TCLUG:17853] firewalls and Web servers

To: <tclug-list@mn-linux.org>
Subject: RE: [TCLUG:17853] firewalls and Web servers
From: "Eric Hillman" <ehillman@cccu.com>
Date: Thu, 18 May 2000 12:43:46 -0500
Importance: Normal
In-Reply-To: <Pine.GSO.4.10.10005181218330.6070-100000@isis.visi.com>

> 1. Stick with the current system, relying on built-in Linux security to
> repel attacks.
>
> 2. Put the Web server behind the Novell firewall.
>
> 3. Keep the Web server in the DMZ and install an OpenBSD firewall just for
> the Web server.
>
> Any thoughts or recommendations?
>


I think that any of these can be made to work, and have their own advantages and
disadvantages.

Personally, we use something like option 1, because it minimized the amount of
dinking around we had to do on the firewall, and because we have an entire range
of valid class C's assigned to us.  Also, we figured that if somebody found and
used an Apache exploit against us, they'd be able to trash the webserver, but
wouldn't be able to use it as a platform to launch attacks deeper into our net.

If the Novell firewall can be configured to only allow traffic on ports 80 & 443
to the webserver, then that will certainly add an extra layer of security,
although you will be adding some load to the firewall then. I think if you must
have the server behind a firewall, option 3 may work out better for you.

References:
- firewalls and Web servers
  - From: Timothy Wilson <wilson@visi.com>

Prev by Date: Re: [TCLUG:17672] Security question
Next by Date: Re: [TCLUG:17854] old hardware avail at this weekend's installfest
Prev by thread: firewalls and Web servers
Next by thread: Re: [TCLUG:17853] firewalls and Web servers
Index(es):
- Date
- Thread