> On Thu, 2 Sep 1999 16:37:33 [EMAIL PROTECTED] wrote:
>
> Personally the arrangement I like best is to have the WWW servers on a third
> leg of the firewall, what I call the service segment, and what I call the
> DMZ (other people have different definitions of DMZ, so be careful). In
> that way, even if an outside cracker blows away the WWW server, your
> firewall will still have logs of where this guy came from and what protocol
> he tried to use. The firewall would be configured to allow just http from
> the internet to the WWW server, and would allow http and other services to
> originate inside the company and go out to the WWW server. This also has
> the advantage in that sometimes it is very difficult to totally secure all
> the protocols on some machines running WWW servers. It doesn't matter as
> much because the firewall would block packets going to those ports. [...]
Of course, in the case where the WWW server is between the exterior
router and the firewall, the packet filters on the outside router should
only allow http(s) from the Internet to the WWW server anyway. And if
you syslog everything from the WWW server to the firewall as well
(optionally copying those logs to a central facility within the trusted
net), you will have copies of the logs even after they wipe your WWW
server. With any luck, you'll get some messages between the first
hostile action and the cracker disabling syslog on the WWW server.
-Blair
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
