[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Newbie Q's & Class 3 Firewalls?
From:       Adam Shostack <adam () homeport ! org>
Date:       1997-01-11 11:57:44
[Download RAW message or body]

John Cross wrote:

| Couple of questions:
| 1.  I've had a couple of those sales types banter around the term 'Class 3'
| firewall, what are they talking about?  I think Class 1 is just packet
| filtering, Class 2 is proxy service, but don't quite understand Class 3.

Class 3 is whatever the sales guy was selling.  May be smart packet
filters, or transparent application proxies.

| 3.  Does the webserver belong in the DMZ?  I've noticed in a lot of the
| reading that the webserver is usually stuck outside the firewall, why is
| this?  Is the sacrificial lamb or does it just pose too many problems
| bringing it on the inside?  Any tips for securing it if its stuck out in the
| DMZ?  Most importantly, can the Webserver run on the same box as the
| firewall or is this a bad idea?

	Web servers should usually be outside your network because
they tend to be very vulnerable to misconfiguration, buffer overflows,
and other mistakes.

	To secure your web server, run only the code & features you
need, run them as unprivledged users, run chrooted, run on a bastion
host.  Also, review your cgis for problems.  Common cgi problems
mostly fall under the 'foolishly acting on user input,'
category--allowing a user to stuff a buffer so the stack is corrupted;
taking user input and passing it to system() or exec(); or otherwise
accepting what the evil user wants you to do.

	If you consider it likely that your web server will be broken
into, do you think its a good idea to expose your firewall to that
risk?

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

[prev in list] [next in list] [prev in thread] [next in thread]