Op Monday 28 February 2005 03:04, Tomas sgreifde:
My web server is on Windows 2003 server box with IIS 6 (that’s my company's
policy and I can't do anything about it), so it's hardened to the point
Microsoft allows it to be :) and my firewall is OpenBSD box (I love this OS
:) and of course it's hardened the point my knowledge allows it to be :).
The network is so small (only a few servers, because it's a DMZ network)
and if I assume that the hacker is in it than I will assume that the hacker
is in the web server itself and there will be no point in protecting it...
So now I need to figure out that is more secure, to give all public ips to
the web server and filter traffic with bridging firewall or to give all
public ips to firewall itself and only forward certain ports to the web
server with internal ips. Blackhat wrote that it's more secure to give all
public ips to firewall and to forward ports to web's internal ips (sorry
blackhat if I understood you wrongly), but then the hacker will be making
his attack on the firewall and if he succeed he will gain all access to
both networks: internal and DMZ. And if I'll give all public ips to the web
server and make bridging firewall then the hacker will be making his attack
directly on the web server and if he succeeds he will gain access to web
server only. Or am I wrong... I'm a little confused here...
if a firewall only forwards ports, it is really hard to get hacked through
that port... i would give all the ip;s to the openbsd firewall
why? i trust openbsd, and i don't trust M$. openbsd is a lot more solid when
it comes to security.
so if you want my opinion: bsd box gets all the ips, 2way filtering of the
traffic. and the M$ boxes behind it can do nothing! (except maybe some
webserving ;))
just my 2 cents
--
harry
aka Rik Bobbaers
K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
Rik.Bobbaers@cc.kuleuven.ac.be -=- http://harry.ulyssis.org
"OpenSSH: Because you can't spell 'asshole' without 'ssh'"
