TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [TCLUG:17853] firewalls and Web servers



> 1. Stick with the current system, relying on built-in Linux security to
> repel attacks.
>
> 2. Put the Web server behind the Novell firewall.
>
> 3. Keep the Web server in the DMZ and install an OpenBSD firewall just for
> the Web server.
>
> Any thoughts or recommendations?
>


I think that any of these can be made to work, and have their own advantages and
disadvantages.

Personally, we use something like option 1, because it minimized the amount of
dinking around we had to do on the firewall, and because we have an entire range
of valid class C's assigned to us.  Also, we figured that if somebody found and
used an Apache exploit against us, they'd be able to trash the webserver, but
wouldn't be able to use it as a platform to launch attacks deeper into our net.

If the Novell firewall can be configured to only allow traffic on ports 80 & 443
to the webserver, then that will certainly add an extra layer of security,
although you will be adding some load to the firewall then. I think if you must
have the server behind a firewall, option 3 may work out better for you.