On Sun, 20 Jun 1999, Don Kelloway wrote:
> If the firewall *only* allows the GET command through, there shouldn't be
> anything to worry about. Right?
Wrong.
You have to worry about buffer overflows in server requests and commands,
wayward or poorly written active server content such as .asp's and perl
scripts, errors in the GET implementation, and the architecture not scaling
when the Webidiot decides that database transactions absolutely have to
happen to move the business forward, trojans on the server and the integrity
of everyone posting content to the server.
You've suddenly placed a large requirement to audit the Web server's
software, manage code updates, test its functionality, and trust the
administrators to always do the right thing. If the server stuff is
contracted, it's probably worse yet. If it also contains confidential
internal information, funner still.
Publicly accessable machines are still best placed outside the firewall
in the DMZ or off a seperate interface on a service network.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
