[293] in WWW Security List Archive
Re: CGI Scripts an security
daemon@ATHENA.MIT.EDU (Bernhard.Schneck@physik.tu-muenche)
Sat Jan 14 01:39:52 1995
To: woycke@mitre.org (Daniel W. Woycke)
Cc: firewalls@GreatCircle.COM, www-security@ns1.rutgers.edu
In-Reply-To: Your message of "Wed, 28 Dec 94 07:51:57 EST."
<v01510102ab270e9d4e76@[128.29.140.151]>
Date: Wed, 28 Dec 94 14:36:28 +0100
From: Bernhard.Schneck@physik.tu-muenchen.de
Reply-To: www-security@ns2.rutgers.edu
In message <v01510102ab270e9d4e76@[128.29.140.151]> you write:
> But, I agree that get is bad for non-trivial scripts, but the basic
> philosophy behind firewalls is to have one point to concentrate your
> security resources. If I require the user community to write "trusted" cgi
> scripts then I am relying on this community, not something I have control
> over (the firewall).
I ususally recommend to have as few things as possible tunnel through
a firewall from the outside.
Can't you put your web server in the DMZ area?
I've set up several sites with this geometry:
- the external accessible net has the WAN router, the Firewall System,
and the external WEB server.
- The internal net has the internal WEB server.
All internal clients proxy to the internal WWW server, which does caching
and proxies to the firewall. It also has all internal documents.
On the Firewall System, a TIS plug-gw (or build-alike) connects all
internal http requests through to the external WWW server (but NOT vice
versa)
On the external WWW server, only external accessibe documents (or CGIs)
are provided.
With this setup, there is (almost) zero risk to get access to internal
documents from the outside (do *you* trust access lists in multi-megabyte
software??) and little risk for attacks on the firewall system, even if
the WWW server system gets compromised (if you build your DMZ net
carefully)
\Bernhard.
