[3256] in WWW Security List Archive
Re: www web security !
daemon@ATHENA.MIT.EDU (Pierre-Yves Bonnetain)
Wed Oct 16 09:36:17 1996
Date: Wed, 16 Oct 1996 10:33:21 +0100
From: Pierre-Yves Bonnetain <pyb@cadrus.fr>
To: joang@lix.intercom.es
CC: BZH01572@niftyserve.or.jp, www-security@ns2.rutgers.edu
In-reply-to: <32639FDE.2B51@lix.intercom.es> (joang@lix.intercom.es)
Errors-To: owner-www-security@ns2.rutgers.edu
>
> T.Kodera wrote:
> >=20
> > Now, i'm worried abut www security.
> > Offcause, www server is outside of fire wall.
>
> What do you thing about to put your www server inside fw?
>
IMHO, this wouldn not be a clever solution. The public W3 server belongs
at the very list to the DMZ, never to the inside of the firewall
If you want to protect your server, chroot it, use tools such as
tripwire (to detect alterations), check (twice or thrice at the very least)
your cgi scripts and server configurations, etc.
Make your W3 server machine as close to a sacrificial lamb as you can, it
will expose less of itself and so should be less vulnerable to attack.
Sincerely,
--
-+-+ Pierre-Yves BONNETAIN (aka Pyb)
Consultant Internet/Securite
B & A Consultants - PROXIMA - Rue des Pyrénées
31330 Grenade-Sur-Garonne
Tel : 05.62.79.32.61 - Fax : 05.61.82.42.21
