At 10:58 AM 10/30/96 -0600, you wrote:
>I have 2 vendors who will remain unnamed, who have drawn out 2 very
>different firewall setups. Does anyone have a bias or comment?
>setup 1 Internet - router - mail server - packet
> - web server - filtering - internal
> - interactive database - firewall
> _______Internal Company
> Internet - Application - - | mail server
> firewall |interactive data base
> web server
>Both external clients and internal employees need to access the interactive
>On setup 2, I was advised that rules can be used to restrict who and what
>Basically create a road map throught the F/W.
>On setup 1, I was advised to use only the router to send people to either
>the mail or web server. Also I was told that this could leave my database
>open to compromise (the thought did cross my mind.)
>The last problem, is the d/b will need to update btrieve files from a
>different server on--line.
Of the two solutions, solution # 2 is the best. (If a vendor proposed
solution # 1, I would recommend you drop the vendor. Their solution
leaves a lot to be desired.) Putting the Web & Mail Servers outside
of the firewall puts the servers at a very high risk (even moreso,
since the hackers who are monitoring this list will have already noted
your web address and made a mental note to visit your site(s) in the near
future to see how well you did on implementing a secure solution). 8^(
Further, if you need to have external clients & internal employees to
have access to an interactive database, you have a non-trivial situation
which needs to be examined very carefully. Securing this type of
environment is not trivial and should be left to experts to help minimize
the risks of having an unauthorized person access your internal systems
and data (including the database). Feel free to give me a call at the
number below so that we can discuss this off-line.
>Thanks for listening!
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist