At 00:33 20/05/00 -0800, MI DC wrote:
>The first step is to decide if you want to
>generally allow HTTP on any port. If yes, and if
>you use a proxy server that can be safely placed
>in front of the firewall, move the proxy server
>to the outside
This is generally a very bad idea (host outside the firewall)
a) firewall logs no longer show traffic Internet <-> outsidebox - so cannot
use the logs to check on normal/abnormal traffic to the box
b) outside box is unprotected by firewall
c) if breached outside is in a great place to sniff all traffic in<-> -
emails etc etc (unless you are ethernet switch the outside box)
All to often we''ve tested corporates with boxes outside firewalls, that
have been a problem waiting to happen.
Deri Jones
NTA Monitor
Europe's Leading Internet Security Testers
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
