Kelly Slavens wrote:
>
> I have a situation where I have a Server, which will host web
> content from "Internal" Data to the external world. This Server Needs only
> have web services accessible to the outside world beyond our network. Our
> current configuration is a Cisco Hardware Nat/Router Packet filter directly
> connected to the Internet connection. Connected to that is our MSProx2.0
> (Being replaced with ISA Server soon)... One individual wishes to place this
> new web server directly behind the NAT alongside the Prox, With a so called
> "one way" push only network connection to the internal network. This seems
> like a bad idea to me. My suggestion was Place the Web server behind the
> prox and use Reverse prox to redirect all web traffic to only this single
> internal Web server. This to me seems to be more secure than a second
> machine sitting in the DMZ with a connection to the internal network.
With the web server behind the Proxy, if the web server is compromised
(eg. IIS Unicode vulnerability) then the entire internal network is open
to the attacker. The other configuration is better but it isn't the
only solution.
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
