|
Firewall Wizards
mailing list archives
RE: medical records, web server, & stateful firewall vs packet filter
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 10 Nov 2005 16:35:57 -0500
-----Original Message-----
Subject: [fw-wiz] medical records, web server, & stateful firewall vs packet
filter
My question at this point is: am I making a mistake by placing a stateful
firewall between
the webserver and the Internet? Maybe a simple packet filter would be
less prone to DoS
attacks. I could stick a Cisco 2800 there instead. I have always believed
that a stateful
firewall device like a PIX or ASA 5500 would offer better overall
protection than a packet
filter (I need to limit access to the image and SQL servers too), but some
feedback I've
received recently is causing me to question this assumption.
I think you're off-target to be worrying about DoS attacks over attacks that
lead to the compromise of this system or disclosure of data contained within
(especially because healthcare data is regulated/protected in many
countries). I think you're also relying too heavily on the web server and
the web app to be secure, which they probably aren't. And since the web app
has access to the SQL database and the image files you're trying to protect,
it's likely to be your soft spot. Layer 3 filters are useful out front and
between the front-end and back-end servers, but they're just a start. You
need to look at application security either through app testing and
assurance or through some sort of protective reverse proxy.
PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
