Great Circle Associates Firewalls
(October 1996)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: firewall configs
From: Frank Willoughby <frankw @ in . net>
Date: Wed, 30 Oct 96 19:46:28 -0500
To: kfrisco @ shrike . depaul . edu
Cc: firewalls @ GreatCircle . com

At 10:58 AM 10/30/96 -0600, you wrote:

>I have 2 vendors who will remain unnamed, who have drawn out 2 very
>different firewall setups.  Does anyone have a bias or comment?
>setup 1    Internet - router - mail server      -       packet
>                             - web server       -       filtering - internal
>                             - interactive database -   firewall
>setup 2
>                                        _______Internal Company
>                                       |
>                                       |
>        Internet - Application -    -  | mail server
>                   firewall            |interactive data base
>                      |
>                     web server     
>Both external clients and internal employees need to access the interactive
>On setup 2, I was advised that rules can be used to restrict who and what
>goes where.
>Basically create a road map throught the F/W.
>On setup 1, I was advised to use only the router to send people to either
>the mail or web server.  Also I was told that this could leave my database
>open to compromise (the thought did cross my mind.)
>The last problem, is the d/b will need to update btrieve files from a
>different server on--line.

Of the two solutions, solution # 2 is the best.  (If a vendor proposed 
solution # 1, I would recommend you drop the vendor.  Their solution 
leaves a lot to be desired.)  Putting the Web & Mail Servers outside
of the firewall puts the servers at a very high risk (even moreso, 
since the hackers who are monitoring this list will have already noted 
your web address and made a mental note to visit your site(s) in the near 
future to see how well you did on implementing a secure solution). 8^(

Further, if you need to have external clients & internal employees to 
have access to an interactive database, you have a non-trivial situation
which needs to be examined very carefully.  Securing this type of 
environment is not trivial and should be left to experts to help minimize
the risks of having an unauthorized person access your internal systems
and data (including the database).  Feel free to give me a call at the 
number below so that we can discuss this off-line.

>Thanks for listening!

Best Regards,

Any sufficiently advanced bug is indistinguishable from a feature.
	-- Rich Kulawiec

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.

Fortified Networks Inc. - Information Security Consulting     Phone: (317) 573-0800     FAX: (317) 573-0817     
Home of the Free Internet Firewall Evaluation Checklist

From: Davyd Norris <Davyd . Norris @ fcollins . com . au>
Next: Re: NCSA membership
From: Frank Willoughby <frankw @ in . net>
Indexed By Thread Previous: firewall configs
From: kfrisco @ shrike . depaul . edu
Next: Re: firewall configs
From: John Gateley <gateley @ jriver . jriver . com>

Search Internet Search