[3406] in WWW Security List Archive
RE: Where to locate external webserver ?
daemon@ATHENA.MIT.EDU (Mirick, James R.)
Tue Oct 29 20:14:34 1996
Date: Tue, 29 Oct 96 17:18 EST
From: "Mirick, James R." <FBS/DEV01/JRMIRICK%First_Bank_System@mcimail.com>
To: www security <www-security@ns2.rutgers.edu>,
"VERBRUGGEN MARC GZ3 03450.33.49" <bruggema@btmaa.bel.alcatel.be>
Errors-To: owner-www-security@ns2.rutgers.edu
Please reply to the following MCI Mail address: 692-1709
1. This depends on what server software you have (operating system as well
as web server) and there are some things you can do but they are not
completely foolproof.
2. What is an "acceptable" solution depends on the volume and frequency of
the updates. A relatively insecure way is to FTP it in. If the frequency
is low you can just "walk it in" by disk or whatever, so there is no
physical connection and the server in effect never expects to get a "write"
update from the Internet. (This is what we do). The method should be
secure but not so cumbersome that operating people are tempted to bypass it.
3. Most firewalls can somehow be configured to allow a one-way transfer but
block any activity going the other way, so it the firewall is reasonably
sophisticated it should not be a barrier in itself.
In all these, it is good to have a way to assess the integrity of the files
on the site, for instance by programmatically looking at the time/date
stamps, or computing a digest on the files, and comparing the result to what
should be there. You could do this as often as you feel necessary to at
least find out if somebody hit your site. It doesn't stop the intrusion,
but it tells you that it happened.
I am sure the real gurus have a more complete answer but perhaps this is
helpful.
Jim Mirick
Manager, FBS Interactive
First Bank System Minneapolis
----------
From: VERBRUGGEN MARC GZ3 03450.33.49
To: www security
Cc: James R. Mirick
Subject: Where to locate external webserver ?
Date: Tuesday, October 29, 1996 3:27PM
MCI Mail date/time: Tue Oct 29, 1996 3:02 pm CST
Source date/time: Tue, 29 Oct 1996 09:29:27 +0100 (MET)
-------------------
Here are a few questions :
1) I asssume that a webserver with public company information is best
located
on the outside of the firewall. Are there any extra precautions to be taken
to
avoid that "others" can write to the webserver environment ?
2) Suppose that I want to update the information from data in a database on
a
machine that is on the inside of the firewall : how do I fix that in a safe
way
? A CGI based solution, using some kind of database connect will probably
not
wrk because the firewall will not allow it.
o _o
_/[;_ - - _ \<;_
---------(_)>(_)------(_)/ (_)------------------------------------------
Marc Verbruggen-GZ3 voice : 32 3 4503349
Alcatel Bell Telephone fax : 32 3 4503595
de Villermontstraat 38 email : bruggema@god.bel.alcatel.be
B-2550 Kontich pmail : see left column
Belgium
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQBNAzJjUrUAAAECAKAFO8xIODggDUQY/VALMARJjhf89J+qFHV/fOKivVtR RJjC
yv+UN2f9aXrZQlOynFSCYPFWUJ8O1YZr2LWGO9kABRG0KFZlcmJydWdnZW4g PGJy
dWdnZW1hQGdvZC5iZWwuYWxjYXRlbC5iZT6JAFUDBRAyY1K11YZr2LWGO9kB ATBv
Af9iqymdU6NmWE23xyaWbsi33vB0mNPQdgHYhZo4qVuqMKCM9Sm6Yc+/Ewxm 9fIe
4El7AaeIrVexBnNP8itLebqx
=kCTs
-----END PGP PUBLIC KEY BLOCK-----
