Right Dave...my point being that you leave as little as possible on the exposed web server to minimize risk. Then cross your fingers... ;-)
-----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 27, 2002 11:22 PM To: CF-Talk Subject: RE: Firewall configuration for CF and SQL (sort of OT) > > out of curiosity, why would you want to separate the CF > > API from the webserver with regards to security? that > > setup doesn't seem to lend itself to being more secure. > > Sure it does. If the web server is compromised in the DMZ, > the infiltrators have nothing...no executable code or template > exists and there's nowhere to go...all sensitive information > is contained on the remote CF application server residing in > the MZ...including the source code of all your templates. > > It's much more secure. While I agree that a distributed configuration can be more secure, it can be dangerous to overstate the level of security gained from this configuration. A successful infiltrator will have far more than "nothing" - he will be able to monitor the traffic from the web server to the application server. Users entering passwords, even through SSL? Well, that traffic will be available to the "infiltrators". It may be difficult to decipher, but it won't be impossible. In addition, this configuration won't protect you from CGI vulnerabilities - that is, the failure to properly filter input. All it will do is protect you against flaws in the actual web server software itself, or flaws within other services run on the web server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
