The problem is that the webserver (iis is a good example of the problem) is still vunerable to "strange" requests. A firewall which inspects the contents of the packets can be configured to block access to the web server based on web apps. That's really the only way to truely harden a web server as I see it.
However this doesn't always need to be a true firewall that does the work, it could be a specilized proxy that does the filtering. Then the point of presence is the proxy not the webserver, and you gain the benifit of caching at the proxy as well. But you're right, blocking access to ports it generally acceptable when you're not dealing with particularily sensitive data. --mikej -=----- mike jackson [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 11:01 AM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 Mike Jackson wrote: > A firewall is probably the best way to harden tomcat. Or any web server > for that matter, however for a one good you're going to probably end up > paying a large sum of money. You could go on the cheaper side and only use > a stateful port blocking firewall, but really to do it right you'll need > a firewall that looks at data being sent to the server and then blocks > on types of data rather than just the port. Is iptables on Linux generally good enough(?), assuming the data is not all that critical. Other than its basic functions, haven't really looked at iptables to see whether it can interface with any IDS... das -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
