Hi Mike, Having the HTTP server on the inside network is one of the things that makes most firewall guys really edgy. It's risky. The main problem is that if your WWW server gets r00ted, it can very easily be used as a jumping off point to go on and attack the rest of the network. Given that MS based web servers in particular are statistically the most likely to suffer complete compromise, it's an accident waiting to happen.
Having the WWW server _outside_ the firewall, with a link to an Oracle backend is almost as bad. All it would take is for an attacker to control the webserver, then they could sit there watching (or maybe even manipulating) all your Oracle traffic. That's bad. By the way, in that scenario you don't need to give the oracle box a public IP, just configure a static on the PIX and appropriate access lists. The argument that "the firewall can stop all that stuff" is almost completely inaccurate. The _only_ attack on a WWW server that a PIX will stop is a Denial of Service. That is also probably the attack that you're least worried about. All the nasty stuff will come straight in on the HTTP port and the PIX will be none the wiser. The Best Way To Do It would be to put the WWW server on a different ethernet interface on the PIX (known as a DMZ...sort of). There are still potential problems, and you should probably skim the archives, because we talked about some of them (particularly germaine to the WWW / Oracle stuff) very recently. If you only have a two interface PIX and can't / won't change that, then I would put the WWW server _inside_, but configure the PIX to authenticate incoming HTTP traffic. Check cisco's website for the details [1]. It would be preferable to do that against a RADIUS server, but even a password list in the PIX would be OK. That will mean that attackers would need to guess your password before they could start attacking your WWW server. Since you only need to make it available to a limited number of people this should be OK. Choose strong passwords. HTH, HAND etc. Cheers, [1] http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/ config.htm#xtocid66 (link almost certainly wraps) -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Le Master > Sent: Monday, May 06, 2002 5:15 PM > To: '[EMAIL PROTECTED]' > Subject: Web Server Placement > > > We are a small shop getting serious about installing our > first web server. The server would be used by six clients > totaling about 20 users to access an Oracle app on a server. > We have a PIX 515 with all ports closed except for the > internet and Citrix. The outside consultant recommends that > the web server be placed inside the firewall. Their logic > is... If the web server is outside the firewall, it is more > vunerable to attack as it can be flooded or otherwise brought > down since it won't be protected by the firewall. Behind the > firewall, the firewall software would recognize and stop that > kind of activity. The firewall would also protect the rest of > the network because all other IP addresses that are inside > the firewall would be made invisible by the firewall. > Outside the firewall, we could connect to the Oracle server > but that would require the oracle server be given a public IP > address so the web server could see it. I think that it > should be outside the firewall. > > I welcome any suggestions and the reasoning behind the > suggestions as to proper placement of the web server. > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > For Account Management (unsubscribe, get/change password, > etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
