I hate to sound like a know-nothing anti-Microsoft bigot, but... I'd say you're doomed.
IIS is always going to be a big weakspot for you, as is shipping the traffic straight from the webserver to the Oracle box holding the crown jewels. I could waffle on about hardening IIS, securing the permissions on the Oracle box, adding N-IDS, adding host based IDS on the webserver, using an Oracle reverse proxy, blah blah blah, but it's all crap, really. If you must work with that equipment, and you're only publishing to a limited set of external partners, lock everything down so _only_ those partners can talk to your WWW server. Blocking that attack vector from the rest of the world will do more than all the rest of the stuff above put together. In other words, if you can't secure it, hide it. If you can't lock it down by IP ranges, then lock it down with passwords, or maybe a VPN. (NB - you wouldn't need any encryption with that VPN, just the traffic authentication. I assume you're doing TLS on the webserver.) You'll have some worries about your Exchange box, too. Since you probably can't limit access to that, you'll need to take "precautions". I would somewhat recommend reverse proxying your mail. Put a simple SMTP relay (build a little OpenBSD box for $200 and look at things like qmail) in your DMZ and put the Exchange box inside. The brainy guys on the list may have other, more current recommendations for building a secure, non-setuid, task purposed SMTP relay (anyone?) Best of luck! -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 > -----Original Message----- > From: Mike Le Master [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 13, 2002 3:33 PM > To: 'Brian Ford'; Ben Nagy; Mike Le Master > Cc: [EMAIL PROTECTED] > Subject: RE: Web Server Placement > > > Thank you all for the comments, suggestions, and > recommendations. We are seriously considering placing the web > server inside in a separate subnet. PIX will route traffic > between the two subnets, Subnet A containing the web server > (ColdFusion, IIS) and the Exchange 5.0 server; Subnet B > containing protected network (PDC, Oracle [both in the same > box]), other file servers, SQL Server, and employee > workstations. If we were to assume that this will be the > final configuration what recommendations would you make in > order to secure the Subnets A & B. [...] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
