David Lang writes:
> although if your firwall is paranoid enough there can be a limit to what
> can be done over this compramised connection.
>
> for example if you have a raptor firewall the messages back and forth must
> be valid http, it's extremely hard to type at a command prompt and have
> valid http in both directions be the result.
Not with an appropriately hacked netcat client/server... or even a
basic perl script, perhaps an httpd-deamon that is designed to catch
filter http for commands ;-)
> David Lang
>
> On Fri, 2 Feb 2001, Paul Cardon wrote:
>
> > Date: Fri, 02 Feb 2001 10:55:03 -0500
> > From: Paul Cardon <[EMAIL PROTECTED]>
> > To: Kelly Slavens <[EMAIL PROTECTED]>
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Configuration Arguments... In House...
> >
> > Kelly Slavens wrote:
> > >
> > > I have a situation where I have a Server, which will host web
> > > content from "Internal" Data to the external world. This Server Needs only
> > > have web services accessible to the outside world beyond our network. Our
> > > current configuration is a Cisco Hardware Nat/Router Packet filter directly
> > > connected to the Internet connection. Connected to that is our MSProx2.0
> > > (Being replaced with ISA Server soon)... One individual wishes to place this
> > > new web server directly behind the NAT alongside the Prox, With a so called
> > > "one way" push only network connection to the internal network. This seems
> > > like a bad idea to me. My suggestion was Place the Web server behind the
> > > prox and use Reverse prox to redirect all web traffic to only this single
> > > internal Web server. This to me seems to be more secure than a second
> > > machine sitting in the DMZ with a connection to the internal network.
> >
> > With the web server behind the Proxy, if the web server is compromised
> > (eg. IIS Unicode vulnerability) then the entire internal network is open
> > to the attacker. The other configuration is better but it isn't the
> > only solution.
> >
> > -paul
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
