Re: [fw-wiz] Authenticated VS Anonymous in a secure Zone

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 05/14/04

  • Next message: Dana Nowell: "RE: [fw-wiz] Worms, Air Gaps and Responsibility" 
    To: Roger Barbeau <r_barbeau@videotron.ca>
Date: Fri, 14 May 2004 15:54:43 -0400 (EDT)

    On Fri, 14 May 2004, Roger Barbeau wrote:

    > Hi!
    >
    > A design question for all of you.
    >
    > Let's say that we have two web servers in our DMZ.
    > Traffic to the web server 1 is authenticated by the firewall and the
    > credential is relayed to the web server 1.
    > Traffic to the web server 2 is anonymous.
    >
    > What is the security concern about having authenticated traffic and
    > anonymous traffic going to the same zone?

    Any exploitable condition in Web Server 2 means that Web Server 1 can be
    attacked from there. In an ideal design, things which require the same
    level of security are separated from things which require different levels
    of security. Generally, in Web "Extranet" designs, this is done by
    putting an additional interface on the firewall, and creating a new "zone"
    for the more sensitive thing.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Dana Nowell: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"

    Relevant Pages

    • Re: disconnect a hacker
      ... My Web server station is right next ... my attention divided by security concerns... ... see an IP connected to port 80, ... I've been forwarding my firewall logs to my ISP, ...
      (alt.computer.security)
    • Re: Moving webserver inside firewall
      ... current OS/Product Service Packs, security patches, security tools, virus ... | I think inside the firewall is the best place for most any server. ... | The only way to be 100% sure the web server is not compromised is to ...
      (microsoft.public.inetserver.iis.security)
    • Re: [fw-wiz] Using SSL accelerators in firewalls
      ... It also depends on what you're using your SSL for, and how tightly you can couple ... your firewall with your web application. ... web server don't have to be very aware of each other. ... >> lost in the process and the security of transactions eroded. ...
      (Firewall-Wizards)
    • Re: Proxy+ Trojan
      ... Im not terribly experienced at the web server type security but you might ... Check those for suspicious probes ... Unfortunately this isn't my particular area of security I specialise in, ... >misconfigured, I'm sure, but hadnling it with a firewall. ...
      (Security-Basics)
    • Re: Port 80
      ... > I have to open port 80 on firewall since we are going to have a web server ... > security for that? ...
      (comp.unix.solaris)