RE: [fw-wiz] medical records, web server, & stateful firewall vs packet filter

From: Paul Melson (pmelson_at_gmail.com)
Date: 11/10/05

  • Next message: Sigurd Urdahl: "Re: [fw-wiz] Non-NAT Firewall" 
    To: "'Adam Greene'" <maillist@webjogger.net>, <firewall-wizards@honor.icsalabs.com>
Date: Thu, 10 Nov 2005 16:35:57 -0500

    -----Original Message-----
    Subject: [fw-wiz] medical records, web server, & stateful firewall vs packet
    filter

    > My question at this point is: am I making a mistake by placing a stateful
    firewall between
    > the webserver and the Internet? Maybe a simple packet filter would be
    less prone to DoS
    > attacks. I could stick a Cisco 2800 there instead. I have always believed
    that a stateful
    > firewall device like a PIX or ASA 5500 would offer better overall
    protection than a packet
    > filter (I need to limit access to the image and SQL servers too), but some
    feedback I've
    > received recently is causing me to question this assumption.

    I think you're off-target to be worrying about DoS attacks over attacks that
    lead to the compromise of this system or disclosure of data contained within
    (especially because healthcare data is regulated/protected in many
    countries). I think you're also relying too heavily on the web server and
    the web app to be secure, which they probably aren't. And since the web app
    has access to the SQL database and the image files you're trying to protect,
    it's likely to be your soft spot. Layer 3 filters are useful out front and
    between the front-end and back-end servers, but they're just a start. You
    need to look at application security either through app testing and
    assurance or through some sort of protective reverse proxy.

    PaulM

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Sigurd Urdahl: "Re: [fw-wiz] Non-NAT Firewall"

    Relevant Pages

    • [fw-wiz] ***SPAM*** Re: Firewalls that generate new packets..
      ... stopping DDOS attacks directed AT you, from multiple sources, is something few firewalls can do if the attack is large/amplified/sustained. ... If someone really wants you badly and has the "connections" he can make life pretty miserable for you irregardless of the firewall you use. ... My experience is that many firewall admins worry about more than in part because DDOS attacks are familiar to the culture and the effects of a DDOS attack directed at your organization often has a financial and reputational impact. ... CAN prevent most DOS attacks. ...
      (Firewall-Wizards)
    • RE: [fw-wiz] CERT vulnerability note VU# 539363
      ... Of course the attacks mentioned in this CERT advisory are not really ... traffic limit overloads, but, resource exhaustion techniques. ... > In my opinion if a stateful firewall claims it can filter at rate X ...
      (Firewall-Wizards)
    • Re: Which Firewall?
      ... Please a DOS 6.2 machine on the net ... > with no services running and guess what ... ... Then there are man-in-the-middle attacks on open, ... A firewall may or may not help in this situation tho. ...
      (comp.security.firewalls)
    • Re: [fw-wiz] Firewalls that generate new packets..
      ... Properly configured, a simple firewall ... CAN prevent most DOS attacks. ... "Defeating DDOS". ...
      (Firewall-Wizards)
    • Re: Dos attacks
      ... Most firewall appliances handle DOS attacks, most all of them are under ...
      (comp.security.firewalls)