hi ya tomas
On Thu, Feb 24, 2005 at 11:05:08AM +0200, Tomas wrote:
I'd like to ask you, as guys who know a lot of about security, this
question: what is more secure when dealing with web servers and public ips.
Is it more secure to give all of your public ips directly to a web server
and filter traffic with firewall, or is it better to give all public ips to
a firewall and only redirect http and https ports to internal web server?
which is more secure ... neither ... it depends on the rest of the
system and network config and how you use the servers
some people's firewall is uselessly insecure, since it allows all the
traffic from everywhere/anywhere into the servers its trying to protect
if your firewall is say PIX or checkpoint, it'd probably be mroe secure
if it's properly configured ( less things it can do wrong, other than
you turining everything to be allowed )
if the firewall is linux or *bsd based, it'd probably be just as insecure
as your linux based webserver, though *bsd fw will be more secure than linux
using the same set of firewall rules
the problem is you will need to harden your webserver and linux-based firewall
and if your customers are ecommerce websites, you should hire professional
security folks with liability insurance to fix the problems per your budget
and specs
if the website can go down for a day or two and no loss of personal data,
than it doesnt matter if it gets hacked, just need to learn why/how they got in
lots of issue .. there is no clear answer of which is more secure
a system is more secure if it is secure by itself and does NOT depend on
a firewall .. and you have data stored ( backedup ) at least 3 other places
a network is more secure if you assume that the hacker/cracker is inside
your network, in the firewall, and you protect your remaining servers
and protect your data, knowing the cracker is inside your network
how you make things secure, depends on how you allow data to be moved
from one machine to another
c ya
alvin
