My web server is on Windows 2003 server box with IIS 6 (that’s my company's
policy and I can't do anything about it), so it's hardened to the point
Microsoft allows it to be :) and my firewall is OpenBSD box (I love this OS
:) and of course it's hardened the point my knowledge allows it to be :).
The network is so small (only a few servers, because it's a DMZ network) and
if I assume that the hacker is in it than I will assume that the hacker is
in the web server itself and there will be no point in protecting it... So
now I need to figure out that is more secure, to give all public ips to the
web server and filter traffic with bridging firewall or to give all public
ips to firewall itself and only forward certain ports to the web server with
internal ips. Blackhat wrote that it's more secure to give all public ips to
firewall and to forward ports to web's internal ips (sorry blackhat if I
understood you wrongly), but then the hacker will be making his attack on
the firewall and if he succeed he will gain all access to both networks:
internal and DMZ. And if I'll give all public ips to the web server and make
bridging firewall then the hacker will be making his attack directly on the
web server and if he succeeds he will gain access to web server only. Or am
I wrong... I'm a little confused here...
Received on Mar 01 2005
Intro
