On Wed, 1 Sep 1999, Roy wrote:
> We have the option of placing a www app server outside our firewall, in the
> DMZ or behind the firewall in our LAN by opening port 80 to the www app
> server's IP address.
>
> What are the pros and cons of placing it in the DMZ vs in the LAN?
In an ideal situation, publicly accessable servers live on their own
network segment outside the firewall. If your server shares layer-2
access with your firewall, you'll need to be aware of any layer 2 spoofs
or attacks against your firewall.
Placing a publicly accessable server on the internal network is very
dangerous, and should be avoided as much as possible. In that scenerio,
you'll give a successful attacker access to your internal network, and
generally less-protected machines living on it.
You'll need to add more host protection to the machine, and audit it
regularly, but you'd be best served doing that anyway.
The other option is a 3rd leg off the firewall that only hosts public
servers, this "service network" concept is popular, but can induce latency
based on firewall processing. I prefer screening routers on isolated
segments off the DMZ.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
