[3440] in WWW Security List Archive
Re: Where to locate external webserver ?
daemon@ATHENA.MIT.EDU (Kevin Steves)
Sun Nov 3 14:35:06 1996
Date: Sun, 3 Nov 1996 09:16:38 -0800 (PST)
From: Kevin Steves <stevesk@nsr.hp.com>
To: "Nicolas J. Hammond" <njhm@ns.njh.com>
Cc: "VERBRUGGEN MARC GZ3 03/450.33.49" <bruggema@btmaa.bel.alcatel.be>,
www-security@ns2.rutgers.edu
In-Reply-To: <199610300149.UAA08336@ns.njh.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 29 Oct 1996, Nicolas J. Hammond wrote:
> > 2) Suppose that I want to update the information from data in a database on a
> > machine that is on the inside of the firewall : how do I fix that in a safe way
> > ? A CGI based solution, using some kind of database connect will probably not
> > wrk because the firewall will not allow it.
>
> Put a second network card in your web server.
> Turn off ip_forwarding.
> Make sure your web server machine is nailed down security wise (no holes,
> see above).
> Make sure your CGI programs are "safe" (no holes).
> Make sure your web server is configured correctly.
> Run CGI programs that connect to your database.
> Monitor all logs.
> Make sure the web server remains in a secured state.
In this type of system (which is a type of hybrid firewall), I would add
an interior DMZ and packet screen (preferably with logging and alerting
capabilities) that exposes only those hosts and ports that are required by
your CGI program/database network protocol. This adds a level of defense
if any of the "make sure" components fail.
