[3407] in WWW Security List Archive
Re: Where to locate external webserver ?
daemon@ATHENA.MIT.EDU (Nicolas J. Hammond)
Wed Oct 30 00:03:34 1996
From: "Nicolas J. Hammond" <njhm@ns.njh.com>
In-Reply-To: <5127290929101996/A49005/BTMV98/11AAEA5D1A00*@MHS> from "VERBRUGGEN MARC GZ3 03/450.33.49" at "Oct 29, 96 09:29:27 am"
To: bruggema@btmaa.bel.alcatel.be (VERBRUGGEN MARC GZ3 03/450.33.49)
Date: Tue, 29 Oct 1996 20:49:15 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
VERBRUGGEN MARC GZ3 03/450.33.49 wrote ...
> Here are a few questions :
>
> 1) I asssume that a webserver with public company information is best located
> on the outside of the firewall.
Correct.
> Are there any extra precautions to be taken to
> avoid that "others" can write to the webserver environment ?
Yes. Close all known security holes. Only allow http traffic on the machine
(only network server running should be your web server).
Configure your filtering router (if you have one) to only allow http
traffic to that machine.
> 2) Suppose that I want to update the information from data in a database on a
> machine that is on the inside of the firewall : how do I fix that in a safe way
> ? A CGI based solution, using some kind of database connect will probably not
> wrk because the firewall will not allow it.
Put a second network card in your web server.
Turn off ip_forwarding.
Make sure your web server machine is nailed down security wise (no holes,
see above).
Make sure your CGI programs are "safe" (no holes).
Make sure your web server is configured correctly.
Run CGI programs that connect to your database.
Monitor all logs.
Make sure the web server remains in a secured state.
--
Nicolas Hammond NJH Security Consulting, Inc.
njhm@njh.com 211 East Wesley Road
404 262 1633 Atlanta
404 812 1984 (Fax) GA 30305-3774
