On Sun, 20 Jun 1999, Don Kelloway wrote:
> Sure, I appreciate the opportunity.
>
> I was basically referring to a webserver on the DMZ, where it's only purpose
Ok, this is the major point of disconnect - the orignal poster asked
about putting the server inside the firewall.
> is to serve simple webpages. No active content, no scripts, no forms, no
> databases, nothing else. If the server itself has had the appropriate mods
> performed in relation to the webservice used, as well as to the server
> itself, and the only command allowed to it, is the GET command. It should
> be secure from unauthorized access from the external side. And if the server
> were to become compromised, there'd only be content of the pages. Nothing
> more...
There is still risk in servers with static content, but as has been
pointed out, the biggest issue is that the Web site will probably
change. Static sites are much, much easier to audit though.
> All in all, it's a pretty simplistic setup, but that's what I was referring
> to. A simple setup where security can be controlled. Of course once you
> start adding active content, scripts, etc. you have a myriad of
> security-related issues to contend with.
Yep, my experience is that those changes will happen rather quickly and
rather arbitrarily after meetings that the mean security guy didn't get
invited to and doesn't have time to attend anyway. YMMV obviously, I
just think it's important to paint the bigger picture in this case. In
an ideal world, Web sites would be fairly static and managable. Useless
enough to discourage visitors helps with security too!
Personally, I liked gopher. ;)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
