Hi everybody,
I have a - not so simple - network to set up and I would like to get
comments and pros & cons from you on my security policy design.
The basic scheme is:
Internet --- Cisco Router --- PIX firewall --- DMZ --- Authentication
server --- Trusted networks.
- The Cisco will act as a screening router.
- The PIX firewall will do the real packet filtering and NAT/PAT.
- On the DMZ there will be a public WWW server.
- The authentication server will authenticate users based on RSA 1024 bit
keys, it is able to establish secure (encrypted) sessions and is able to do
basic packet filtering as well. The authentication server will protect
several trusted networks.
Having said that, the problem is: We�ll have public and private web content,
the public content will be available to anyone on the Internet while the
private content should only be available to the trusted networks and to some
clients outside (our extranet). These clients should be authenticated - by
the authentication server - before they can access the private content.
NOTE: My private content is dymanic, i.e., it is build by running CGIs on an
application server placed in one of the trusted networks.
So the question is: How to correctly set up the web server?
The alternatives are:
(1) Set up two web servers, one for the public content on the DMZ (external)
and another for the restricted content in one of the trusted networks
(internal).
(2) To set up only ONE webserver on the DMZ for the public and private
content. The public content would be available on the default http port
while the private content would be on another, let�s say 8080. Access to
this port would be protected by a rule on the authentication server that
would REQUIRE user authentication.
I am inclined to choose the first alternative but I want to hear from the
experts on this list. Anybody has a different view/approach to solve the
problem? Comments will be very appreciated.
Thanks in advance,
F�bio.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
