web server must be outside the firewall?

I want to know the web server must be setup outside the firewall? Well, it
makes sense because people anywhere can access the web server. But from
security stand point, is it too insecure? Please advise!

Thanks!

You can use firewalls to screen subnets and not translate them. Or, you can
use NAT.

"Matthew Louden" <(E-Mail Removed)> wrote in message
news:Olpg%(E-Mail Removed)...
> I want to know the web server must be setup outside the firewall? Well, it
> makes sense because people anywhere can access the web server. But from
> security stand point, is it too insecure? Please advise!
>
> Thanks!
>
>

The webserver should only have port 80 open (some other might be open too,
for example the SSL port). So, the webserver should be behind some kind of
firewall. DMZ is probably the best place to put it in.

--
Regards,
Kristofer Gafvert
Reply to newsgroup only. Remove NEWS if you must reply by email, but please
do not.
www.ilopia.com - FAQ and Tutorials for Windows Server 2003


"Matthew Louden" <(E-Mail Removed)> wrote in message
news:Olpg%(E-Mail Removed)...
> I want to know the web server must be setup outside the firewall? Well, it
> makes sense because people anywhere can access the web server. But from
> security stand point, is it too insecure? Please advise!
>
> Thanks!
>
>

I would say it depends on how you want to control and manage it.

If it's throw away static content, then I guess you could simply lock it down so
only http and https are available and leave it out on the big bad raw Internet.

You'd also need to 'open' these ports if it was behind a firewall anyhow.

Even if you put it behind a Firewall and only NAT or expose port 80/443 to the
planet, that doesn't mean it's safe. Once those ports are open people can
attempt to hack into your server (using buffer overflows, etc.).

On Tue, 2 Dec 2003 10:48:59 -0800, "Matthew Louden"
<(E-Mail Removed)> wrote:

>I want to know the web server must be setup outside the firewall?

Nope. Can be anywhere, though it needs to be reachable from the
system trying to access it.

>Well, it
>makes sense because people anywhere can access the web server. But from
>security stand point, is it too insecure? Please advise!

You need to understand routing, address translation and firewall rules
before you can understand the answer to this, but in a nutshell, you
can run a web server outside the firewall, in a DMZ or inside the
firewall with the proper combination of routing and access rules, plus
address translation if you're using private IP ranges internally.

Jeff