I belif a proxy would be still insufficient as:
even if it can check http based attacks (such as embedding of commands in a
http request), it is quite impossible to check for those that exploit the
cgi loopholes, which is normally due to the programming logic or language.
Just my 0.02
[EMAIL PROTECTED] (David Gillett) on 23-12-98 09:17:19 AM
Please respond to [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc: (bcc: Tan Hwee Cher/SPH)
Subject: Web server and firewall?
I got chatting at a Christmas party with the owner of a web site
who has twice changed ISPs because his site got hacked. He's about
given up on ISPs to provide protection, and is looking to set up his
own server and protect it.
I keep seeing recommendations that HTTP servers should be in the
DMZ, but I'm not clear on WHY. Is this, perhaps, to protect the
machines on the internal net from a compromised HTTP server? In this
case, there wouldn't *be* any "rest" to protect.
My inclination is to suggest a proxy machine as firewall, supplied
with content from the "real" server behind it. But maybe there's a
flaw to this that I haven't quite grasped?
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
