On Wed, 24 Feb 1999, David Taylor wrote:
> They feel that the update traffic will bog down the firewall (not a chance
> it hasn't even begun to break a sweat) and that since the traffic coming to
> the webserver has already passed through the firewall that it is "safe"
"Safe" is a relative term. Unless you are doing some form of content
filtering, all the firewall is doing is ensuring that only HTTP is used to
connect to the Web server. For ammo, check out your Web server's vendor
for a list of past HTML hacks. This should make it pretty clear that a Web
server is a *very* vulnerable system. Make sure that this list is
constantly changing and should be viewed as fluid. If hacks have been
found in the past its a good bet that more hacks will be found in the
future. Its a bad idea to think that an attacker will not be able to find
some way in via HTML unless you are only serving up static pages and
graphic (OK, DoS is still possible but we are talking penetration).
So, now that an attacker has penetrated your Web server, what's to stop
them from doing further damage? Using a service network such as you
suggested, the Web server is prevented from accessing internal systems. By
circumventing this check, you would be giving people a back door into your
network.
Hope this helps. Stick to your guns,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
