Greetings!
Paul Cardon schrieb:
> Kelly Slavens wrote:
> > current configuration is a Cisco Hardware Nat/Router Packet filter directly
> > connected to the Internet connection. Connected to that is our MSProx2.0
> > (Being replaced with ISA Server soon)... One individual wishes to place this
>
> With the web server behind the Proxy, if the web server is compromised
> (eg. IIS Unicode vulnerability) then the entire internal network is open
> to the attacker. The other configuration is better but it isn't the
> only solution.
On the other hand the MS Proxy is nothing but a standard MS-IIS with a proxy-ASP
plugin. So not much gained - except if the webserver (probably IIS too) does have
selfmade, non-audited ASPs.
Either way: if possible the webserver should be "locked away" into an area not
directly connected to the internal network. This usually is the DMZ.
Bye
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
