|
Posted by on March 21, 2005, 11:52 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi all,
I'm fairly new to network security and have been assigned the task of
deciding which firewall configuration would best suit my company's web
application. Could someone please help me by giving the advantages
disadvantages of the options listed below or by letting me know if I'm
even on the right track to begin with.
Thanks,
Larry
1.) A software firewall installed on the webserver.
2.) A hardware firewall acting as an intermediary between the webserver
and the outside world.
3.) A software firewall installed on a machine that is not the
webserver acting as an intermediary between the webserver and the
outside world.
Also, if a software firewall is the way to go could you suggest some
applications that would be appropriate for a production level
environment?
I know the basic Norton/Mcafee options, but I imagine these are geared
more towards personal use.
|
|
Posted by Covelight on March 21, 2005, 5:38 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On Mon, 21 Mar 2005 11:52:18 -0800, ljohnson wrote:
> Hi all,
>
> I'm fairly new to network security and have been assigned the task of
> deciding which firewall configuration would best suit my company's web
> application. Could someone please help me by giving the advantages
> disadvantages of the options listed below or by letting me know if I'm
> even on the right track to begin with.
>
> Thanks,
>
> Larry
Hi Larry,
One of the critical points you mentioned is that your are deciding the
firewall configuration for your company's web application. In your
situation, we would suggest a properly configured hardware firewall as
well as a product like Covelight Systems' Percept appliance. The
reasoning for this is that a typical firewall setup for a web application
is going to allow all packets destined for the web application through,
leading to the classic "port 80 dilemma", which is to say that you are
still vulnerable to Application Attacks even if you are fairly well
protected from Network Attacks. Percept will allow you to monitor and
audit web application usage to prevent any number of potentially
devastating web application breaches.
A great site for studying about web application security is
http://www.owasp.org . Details and contact information for the
Covelight Percept product can be found at Covelight's website at
http://www.covelight.com .
>
> 1.) A software firewall installed on the webserver.
>
> 2.) A hardware firewall acting as an intermediary between the webserver
> and the outside world.
>
> 3.) A software firewall installed on a machine that is not the webserver
> acting as an intermediary between the webserver and the outside world.
>
> Also, if a software firewall is the way to go could you suggest some
> applications that would be appropriate for a production level
> environment?
> I know the basic Norton/Mcafee options, but I imagine these are geared
> more towards personal use.
-------------------------------------------------------------
Covelight Systems
Protecting the privacy, integrity and confidentiality of your
critical web-enabled information.
http://www.covelight.com
-------------------------------------------------------------
|
|
Posted by Leythos on March 21, 2005, 8:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
> Hi all,
>
> I'm fairly new to network security and have been assigned the task of
> deciding which firewall configuration would best suit my company's web
> application. Could someone please help me by giving the advantages
> disadvantages of the options listed below or by letting me know if I'm
> even on the right track to begin with.
>
> Thanks,
>
> Larry
>
> 1.) A software firewall installed on the webserver.
Always a bad idea.
> 2.) A hardware firewall acting as an intermediary between the webserver
> and the outside world.
This is the proper method, and the webserver should not be part of your
trusted network.
> 3.) A software firewall installed on a machine that is not the
> webserver acting as an intermediary between the webserver and the
> outside world.
This is almost the same as the Hardware firewall - and most people call
the #2 item an "Appliance". Many firewalls that protect corporate
environments are #2 and #3, there is no real difference in function, only
the number of parts that could fail.
> Also, if a software firewall is the way to go could you suggest some
> applications that would be appropriate for a production level
> environment?
> I know the basic Norton/Mcafee options, but I imagine these are geared
> more towards personal use.
The "Personal" firewall applications are not designed for a server that
faces the public, if they are even designed for a server at all. Any
server that is exposed to the public should not rely on a firewall
application installed on the same server, it's just a bad idea, and it's
easy to compromise the firewall if the server services are compromised.
CheckPoint is the only firewall I would run on a computer acting as a
Firewall server.
WatchGuard is the firewall Appliance of my choice for stand alone units.
--
spam999free@rrohio.com
remove 999 in order to email me
|
|
Posted by Michael J. Pelletier on March 21, 2005, 9:21 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi all,
>
> I'm fairly new to network security and have been assigned the task of
> deciding which firewall configuration would best suit my company's web
> application. Could someone please help me by giving the advantages
> disadvantages of the options listed below or by letting me know if I'm
> even on the right track to begin with.
>
> Thanks,
>
> Larry
>
> 1.) A software firewall installed on the webserver.
It is always better to have the firewall SEPARATE from the server. After all
if the server gets hacked the firewall is useless.
> 2.) A hardware firewall acting as an intermediary between the webserver
> and the outside world.
Good call.
> 3.) A software firewall installed on a machine that is not the
> webserver acting as an intermediary between the webserver and the
> outside world.
This is really the same a a "firewall" in between the outside and the
server...
> Also, if a software firewall is the way to go could you suggest some
> applications that would be appropriate for a production level
> environment?
> I know the basic Norton/Mcafee options, but I imagine these are geared
> more towards personal use.
I would do to this:
1) On you Internet router place your anti-spoofing and deny the RFC 1918
networks.
2) Get a Stand alone firewall, I like the Cisco PIX, but even a
linux/FreeBSD box would be a get solution.
3) Next use an Application layer 7 firewall behind that Sidewinder is
supposed to be good. This is the firewall that you should construct you
DMZs on.
Now, first this might be a lot of hardware for you company. I do not know
how small or large you are. However, placing a layer 4 firewall in front of
your layer 7 firewall is a generally good idea since layer 4 firewalls can
take much more of a beatting than a layer 7. If you are a small company, I
would use Linux/FreeBSD for you layer 4 firewall. The firewalls that come
on Linux/FreeBSD are quite good (not to meantion free!)
To summarize coming from the Internet to your server:
||
Internet Router with ACLs (just anti spoofing and RFC 1918 subnet stuff)
||
Layer 4 firewall (linux or Cisco PIX)
||
DMZ Layer 7 firewall (You servers connect to this firewall)
||
Your internal network
Michael
|
|
Posted by William L. Sun on March 22, 2005, 8:52 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi all,
>
> I'm fairly new to network security and have been assigned the task of
> deciding which firewall configuration would best suit my company's web
> application. Could someone please help me by giving the advantages
> disadvantages of the options listed below or by letting me know if I'm
> even on the right track to begin with.
>
> Thanks,
>
> Larry
>
> 1.) A software firewall installed on the webserver.
>
> 2.) A hardware firewall acting as an intermediary between the webserver
> and the outside world.
This is the only choice I would choose. If you have some budget, you should
think of a decent hardware firewall. You do not have to pay a lot of money
for it.
William Sun
www.thegild.com
>
> 3.) A software firewall installed on a machine that is not the
> webserver acting as an intermediary between the webserver and the
> outside world.
>
> Also, if a software firewall is the way to go could you suggest some
> applications that would be appropriate for a production level
> environment?
> I know the basic Norton/Mcafee options, but I imagine these are geared
> more towards personal use.
>
|
| Similar Threads | Posted | | Firewalls | November 12, 2004, 12:58 pm |
| Firewalls | November 12, 2004, 6:37 pm |
| Win XP SP2 & Firewalls | November 22, 2004, 12:33 pm |
| DSM-320 & firewalls | November 26, 2004, 12:57 am |
| too many firewalls? | November 29, 2004, 10:27 pm |
| Too much firewalls? | February 23, 2005, 8:29 pm |
| Pix and ISA firewalls | May 18, 2005, 6:55 pm |
| Firewalls and AOL | August 20, 2005, 3:02 pm |
| Too many firewalls? | November 12, 2005, 5:06 pm |
| 2 firewalls in 1 PC? | January 17, 2006, 5:40 pm |
|
XML site map