From firewalls-gc Sat Jan 11 11:57:44 1997 From: Adam Shostack Date: Sat, 11 Jan 1997 11:57:44 +0000 To: firewalls-gc Subject: Re: Newbie Q's & Class 3 Firewalls? X-MARC-Message: https://marc.info/?l=firewalls-gc&m=87619433410253 John Cross wrote: | Couple of questions: | 1. I've had a couple of those sales types banter around the term 'Class 3' | firewall, what are they talking about? I think Class 1 is just packet | filtering, Class 2 is proxy service, but don't quite understand Class 3. Class 3 is whatever the sales guy was selling. May be smart packet filters, or transparent application proxies. | 3. Does the webserver belong in the DMZ? I've noticed in a lot of the | reading that the webserver is usually stuck outside the firewall, why is | this? Is the sacrificial lamb or does it just pose too many problems | bringing it on the inside? Any tips for securing it if its stuck out in the | DMZ? Most importantly, can the Webserver run on the same box as the | firewall or is this a bad idea? Web servers should usually be outside your network because they tend to be very vulnerable to misconfiguration, buffer overflows, and other mistakes. To secure your web server, run only the code & features you need, run them as unprivledged users, run chrooted, run on a bastion host. Also, review your cgis for problems. Common cgi problems mostly fall under the 'foolishly acting on user input,' category--allowing a user to stuff a buffer so the stack is corrupted; taking user input and passing it to system() or exec(); or otherwise accepting what the evil user wants you to do. If you consider it likely that your web server will be broken into, do you think its a good idea to expose your firewall to that risk? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume