apache web proxy and IIS6
am 15.01.2008 21:57:52 von tonyIs it more secure to place apache web proxy infront of IIS6? How insecure is
it to place IIS6 on dmz?
We want to get rid of the apache web proxy and just go with IIS
Re: apache web proxy and IIS6
am 16.01.2008 09:02:44 von David WangOn Jan 15, 12:57=A0pm, "tony"
> Is it more secure to place apache web proxy infront of IIS6? How insecure =
is
> it to place IIS6 on dmz?
>
> We want to get rid of the apache web proxy and just go with IIS
IIS6 is safe to be Internet facing... backed by a rock-solid security
record that is better than any Apache version that you've put in front
of it...
If you turn on Windows firewall to have the same ports open as allowed
by your web proxy, there is little functional difference.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: apache web proxy and IIS6
am 16.01.2008 18:33:23 von tonyIs it unsafe to have the IIS servers in a domain on the DMZ? Is it better to
be in workgroup?
how do i pass authentication into domain if it is in workgroup?
"David Wang"
news:c41a242e-fab2-4203-8bed-49943ae51554@t1g2000pra.googleg roups.com...
On Jan 15, 12:57 pm, "tony"
> Is it more secure to place apache web proxy infront of IIS6? How insecure
> is
> it to place IIS6 on dmz?
>
> We want to get rid of the apache web proxy and just go with IIS
IIS6 is safe to be Internet facing... backed by a rock-solid security
record that is better than any Apache version that you've put in front
of it...
If you turn on Windows firewall to have the same ports open as allowed
by your web proxy, there is little functional difference.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: apache web proxy and IIS6
am 16.01.2008 22:55:15 von David WangSafety/Security is always relative -- please define your requirements
of security and how you'll measure it -- because until you can do
those things, you are *not* secure. Exact same argument applies for
"performance", "scalability", even "functionality".
Authentication/Delegation is tangential to networking layout/
segmentation, so your questions about passing authentication through
the DMZ via workgroup/domain doesn't make sense.
1. Secure the DC somewhere - in the DMZ itself or poke a hole thru
your Intranet for access by IIS in the DMZ
2. Use IPSecurity to route traffic such that *only* IIS is allowed to
talk with your DC and nothing else
This forms your network segmentation and IIS is positioned at the
right place to talk to your DC and authenticate.
Search for standard whitepapers on how to do this on microsoft.com.
This is very well-documented and used .
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Jan 16, 9:33=A0am, "tony"
> Is it unsafe to have the IIS servers in a domain on the DMZ? Is it better =
to
> be in workgroup?
>
> how do i pass authentication into domain if it is in workgroup?"David Wang=
"
>
> news:c41a242e-fab2-4203-8bed-49943ae51554@t1g2000pra.googleg roups.com...
> On Jan 15, 12:57 pm, "tony"
>
> > Is it more secure to place apache web proxy infront of IIS6? How insecur=
e
> > is
> > it to place IIS6 on dmz?
>
> > We want to get rid of the apache web proxy and just go with IIS
>
> IIS6 is safe to be Internet facing... backed by a rock-solid security
> record that is better than any Apache version that you've put in front
> of it...
>
> If you turn on Windows firewall to have the same ports open as allowed
> by your web proxy, there is little functional difference.
>
> //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David. Wang
> //