Actually I messed up on my original post...It's not port 80 and ssl...it's the jrun proxy port in the case of mx...and previous versions it's a config file that operates with the cfdist process to link up the apache module and the back end server. In addition the communication between the module and the cf app server can be encrypted in itself in case there are "listeners"....but yes of course nothing is fool proof...but NOT doing this definitely leaves additional vulnerabilities.
Ciao! -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 27, 2002 11:22 PM To: CF-Talk Subject: RE: Firewall configuration for CF and SQL (sort of OT) > > out of curiosity, why would you want to separate the CF > > API from the webserver with regards to security? that > > setup doesn't seem to lend itself to being more secure. > > Sure it does. If the web server is compromised in the DMZ, > the infiltrators have nothing...no executable code or template > exists and there's nowhere to go...all sensitive information > is contained on the remote CF application server residing in > the MZ...including the source code of all your templates. > > It's much more secure. While I agree that a distributed configuration can be more secure, it can be dangerous to overstate the level of security gained from this configuration. A successful infiltrator will have far more than "nothing" - he will be able to monitor the traffic from the web server to the application server. Users entering passwords, even through SSL? Well, that traffic will be available to the "infiltrators". It may be difficult to decipher, but it won't be impossible. In addition, this configuration won't protect you from CGI vulnerabilities - that is, the failure to properly filter input. All it will do is protect you against flaws in the actual web server software itself, or flaws within other services run on the web server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
