Re: What is more secure?

From: Alvin Oga (alvin.sec_at_Virtual.Linux-Sec.net)
Date: 02/27/05

  • Next message: Mitchell Rowton: "Re: Help me" 
    Date: Sun, 27 Feb 2005 14:55:22 -0800
To: Tomas <s.tomas@gmail.com>

    hi ya tomas

    On Thu, Feb 24, 2005 at 11:05:08AM +0200, Tomas wrote:
    >
    > I'd like to ask you, as guys who know a lot of about security, this
    > question: what is more secure when dealing with web servers and public ips.
    > Is it more secure to give all of your public ips directly to a web server
    > and filter traffic with firewall, or is it better to give all public ips to
    > a firewall and only redirect http and https ports to internal web server?

    which is more secure ... neither ... it depends on the rest of the
    system and network config and how you use the servers

    some people's firewall is uselessly insecure, since it allows all the
    traffic from everywhere/anywhere into the servers its trying to protect

    if your firewall is say PIX or checkpoint, it'd probably be mroe secure
    if it's properly configured ( less things it can do wrong, other than
    you turining everything to be allowed )

    if the firewall is linux or *bsd based, it'd probably be just as insecure
    as your linux based webserver, though *bsd fw will be more secure than linux
    using the same set of firewall rules

    the problem is you will need to harden your webserver and linux-based firewall
    and if your customers are ecommerce websites, you should hire professional
    security folks with liability insurance to fix the problems per your budget
    and specs

    if the website can go down for a day or two and no loss of personal data,
    than it doesnt matter if it gets hacked, just need to learn why/how they got in

    lots of issue .. there is no clear answer of which is more secure

    a system is more secure if it is secure by itself and does NOT depend on
    a firewall .. and you have data stored ( backedup ) at least 3 other places

    a network is more secure if you assume that the hacker/cracker is inside
    your network, in the firewall, and you protect your remaining servers
    and protect your data, knowing the cracker is inside your network

    how you make things secure, depends on how you allow data to be moved
    from one machine to another

    c ya
    alvin

  • Next message: Mitchell Rowton: "Re: Help me"

    Relevant Pages

    • Re: NAT Secure?
      ... >>> NAT secure from internet attack? ... It may 'compliment' a firewall (packet ... Now, depending on that web server, it could be ...
      (comp.security.firewalls)
    • Re: Obama / McCain both hire incompetent IT staff, computers hacked
      ... firewall and use their Comcast cable modem account to get to my ... a so-called "secure" network is infallable. ... the same rules for secure networks as others. ... There is one insecure network in Saudi Arabia that people are ...
      (comp.security.firewalls)
    • Re: Obama / McCain both hire incompetent IT staff, computers hacked
      ... firewall and use their Comcast cable modem account to get to my station. ... this was from an IT consulting firm that specalises in firewalls. ... a so-called "secure" network is infallable. ... the same rules for secure networks as others. ...
      (comp.security.firewalls)
    • Re: ICMP Ping constantly ticked--risk or not?
      ... If you have the file and print sharing exception enabled on your firewall ... only allows access from your network only in edit - change scope. ... configuration setting to allow ping response or not. ... instead of WPA to secure wireless network traffic. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: NAT Secure?
      ... >> NAT secure from internet attack? ... NAT itself is not a firewall. ... if you're running say a web server on port 80 and someone ...
      (comp.security.firewalls)