On Tue, 7 Mar 2000, Jens Pfeiffer wrote:
> My question:
> I know the basic structure of a DMZ, but I don't know if it is possible to
> put a www-server in a DMZ which isn't really in the DMZ.
Anything is possible, it's more a question of what the best place to put
something is in terms of both accessability and security.
> My problem is, that I want the www-server to be accessable from an intranet
> and the internet. But I don't want to put this www-server in the DMZ because
> the DMZ/Firewalling/Intranet is managed by an ohter enterprise. On the other
In general, it's best that Internet-accessable machines be outside the
network perimeter on the DMZ. While it's possible to physically house the
machine on another hardened segement and move traffic to it, it increases
the complexity of the setup, and therefore the likelyhood of a mistake
significantly. If the machine is on the internal network and it is
compromised, then you've lost the entire game. When the machine is
outside the network's main security perimeter, you need to worry about
active content (Mostly the evil that is ActiveX) if you're housing a
server key, but that's a normal worry of Web life.
> hand, I don't want to maintain two servers shareing the same information.
This is always my favorite solution. It means that Internet-accessable
machines are dedicated to that exact purpose, more confidential
information can be left out of content mirroring, and automatic redundancy
should there be a hardware problem with the internal server. Since the
external server is normally just pushed information from the internal one
(other than form submissions which must be taken in), "management" of the
exernal server is generally limited to ensuring it's running and catching
the content pushed to it and doing software upgrades, not a very heavy
burden for increasing the security and redundancy of the information IMO.
> How can I connect a www-server to the intranet and the internet without
> getting highliy vulnerable? Is it possible to connect the www-server via a
> vpn or with a secure connection?
Web servers have traditionally been compromised in-band via the HTTP
protocol. Active server-side content generation has increased the
complexity of such software significantly. Given the two above solutions
which are both generally accepted as best security/functionality
compromises, I'd re-evaluate why neither is a good fit before going too
far down any other path.
VPNs secure _traffic in transit_ they don't secure hosts or networks. In
this case, you're not worried about the transit information being
protected as much as you're worried about ensuring that your intranet
isn't compromised by an external entity.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
