Re: [fw-wiz] medical records, web server, & stateful firewall vs packet filter
From: Adam Greene (maillist_at_webjogger.net)
Date: 11/18/05
- Previous message: Matt Bazan: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- In reply to: Paul Melson: "RE: [fw-wiz] medical records, web server, & stateful firewall vs packet filter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Fri, 18 Nov 2005 09:38:40 -0500
Paul and Jeff,
Thanks to both of you for your responses, which I found very useful. Paul,
you're right of course that focusing on firewalls and packet filters will be
close to useless if there is no application-level security. And the DoS
concerns are secondary to preventing system compromise. In general what I'm
getting from the feedback which you and others have provided is that the DoS
issues really are secondary at this point.
thanks again,
Adam
----- Original Message -----
From: "Paul Melson" <pmelson@gmail.com>
To: "'Adam Greene'" <maillist@webjogger.net>;
<firewall-wizards@honor.icsalabs.com>
Sent: Thursday, November 10, 2005 4:35 PM
Subject: RE: [fw-wiz] medical records, web server, & stateful firewall vs
packet filter
> -----Original Message-----
> Subject: [fw-wiz] medical records, web server, & stateful firewall vs
packet
> filter
>
> > My question at this point is: am I making a mistake by placing a
stateful
> firewall between
> > the webserver and the Internet? Maybe a simple packet filter would be
> less prone to DoS
> > attacks. I could stick a Cisco 2800 there instead. I have always
believed
> that a stateful
> > firewall device like a PIX or ASA 5500 would offer better overall
> protection than a packet
> > filter (I need to limit access to the image and SQL servers too), but
some
> feedback I've
> > received recently is causing me to question this assumption.
>
> I think you're off-target to be worrying about DoS attacks over attacks
that
> lead to the compromise of this system or disclosure of data contained
within
> (especially because healthcare data is regulated/protected in many
> countries). I think you're also relying too heavily on the web server
and
> the web app to be secure, which they probably aren't. And since the web
app
> has access to the SQL database and the image files you're trying to
protect,
> it's likely to be your soft spot. Layer 3 filters are useful out front
and
> between the front-end and back-end servers, but they're just a start. You
> need to look at application security either through app testing and
> assurance or through some sort of protective reverse proxy.
>
> PaulM
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> ---
> [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
System]
>
>
--- [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System] _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Matt Bazan: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- In reply to: Paul Melson: "RE: [fw-wiz] medical records, web server, & stateful firewall vs packet filter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
