IIS on DMZ

IIS on DMZ

am 16.01.2008 07:47:00 von tony

how secure is it to have IIS 6 on dmz? do i need to be using apache web
proxy at all?

Re: IIS on DMZ

am 17.01.2008 02:20:06 von Ken Schaefer

Secure against what?

Cheers
Ken

"tony" wrote in message
news:%23ayaauAWIHA.4696@TK2MSFTNGP05.phx.gbl...
> how secure is it to have IIS 6 on dmz? do i need to be using apache web
> proxy at all?
>

Re: IIS on DMZ

am 17.01.2008 02:48:49 von tony

what i mean is expose port 80 and 443 to the public. Is it safe. and would
having front end apache proxies in front of the IIS 6 servers be an
additional layer of security?

I am trying to convince management to take the linux web proxies out and
open port 80/443 on the IIs servers instead


"Ken Schaefer" wrote in message
news:uAbeZcKWIHA.5396@TK2MSFTNGP02.phx.gbl...
> Secure against what?
>
> Cheers
> Ken
>
> "tony" wrote in message
> news:%23ayaauAWIHA.4696@TK2MSFTNGP05.phx.gbl...
>> how secure is it to have IIS 6 on dmz? do i need to be using apache web
>> proxy at all?
>>
>

Re: IIS on DMZ

am 17.01.2008 07:27:18 von Ken Schaefer

"tony" wrote in message
news:ey83dsKWIHA.4476@TK2MSFTNGP06.phx.gbl...
> what i mean is expose port 80 and 443 to the public. Is it safe.

Safe against what, exactly? Nuclear bomb? no.

Lots of companies run IIS 6.0 and have public websites. Like Microsoft.com.
So, the mere fact of exposing 80 and 443 doesn't automatically make you
insecure.

> and would having front end apache proxies in front of the IIS 6 servers be
> an additional layer of security?

What are these proxies doing? if they are just proxying requests verbatim
they are adding no security at all. Are these proxies doing some kind of
filtering? If not, you have gained nothing except additional administrative
overhead.

But there is no such thing as "perfectly secure". There is only "less
secure" and "more secure" (i.e. degress of security). Additionally you can
be secure against a particular threat, but completely open to some other
threat. You need to work out what your security threats are.

Cheers
Ken


> I am trying to convince management to take the linux web proxies out and
> open port 80/443 on the IIs servers instead
>
>
> "Ken Schaefer" wrote in message
> news:uAbeZcKWIHA.5396@TK2MSFTNGP02.phx.gbl...
>> Secure against what?
>>
>> Cheers
>> Ken
>>
>> "tony" wrote in message
>> news:%23ayaauAWIHA.4696@TK2MSFTNGP05.phx.gbl...
>>> how secure is it to have IIS 6 on dmz? do i need to be using apache web
>>> proxy at all?
>>>
>>
>
>

Re: IIS on DMZ

am 17.01.2008 18:15:07 von tony

I understand what you mean but security team basically is saying IIS is not
secure, they will not open up port 80/443 to IIS. So we have linux proxies
in front of IIS 6 that does redirects to the IIS6 servers. IIS6 servers are
also on DMZ but firewall opens up only port 80/443 on the proxies. then
linux redirects them to the IIS 6 servers.

thanks



"Ken Schaefer" wrote in message
news:ed0bEINWIHA.2304@TK2MSFTNGP06.phx.gbl...
> "tony" wrote in message
> news:ey83dsKWIHA.4476@TK2MSFTNGP06.phx.gbl...
>> what i mean is expose port 80 and 443 to the public. Is it safe.
>
> Safe against what, exactly? Nuclear bomb? no.
>
> Lots of companies run IIS 6.0 and have public websites. Like
> Microsoft.com. So, the mere fact of exposing 80 and 443 doesn't
> automatically make you insecure.
>
>> and would having front end apache proxies in front of the IIS 6 servers
>> be an additional layer of security?
>
> What are these proxies doing? if they are just proxying requests verbatim
> they are adding no security at all. Are these proxies doing some kind of
> filtering? If not, you have gained nothing except additional
> administrative overhead.
>
> But there is no such thing as "perfectly secure". There is only "less
> secure" and "more secure" (i.e. degress of security). Additionally you can
> be secure against a particular threat, but completely open to some other
> threat. You need to work out what your security threats are.
>
> Cheers
> Ken
>
>
>> I am trying to convince management to take the linux web proxies out and
>> open port 80/443 on the IIs servers instead
>>
>>
>> "Ken Schaefer" wrote in message
>> news:uAbeZcKWIHA.5396@TK2MSFTNGP02.phx.gbl...
>>> Secure against what?
>>>
>>> Cheers
>>> Ken
>>>
>>> "tony" wrote in message
>>> news:%23ayaauAWIHA.4696@TK2MSFTNGP05.phx.gbl...
>>>> how secure is it to have IIS 6 on dmz? do i need to be using apache
>>>> web proxy at all?
>>>>
>>>
>>
>>
>

Re: IIS on DMZ

am 18.01.2008 04:16:50 von Ken Schaefer

Please ask your security people how this is protecting IIS in any way?

If there is some kind of malicious packet that can exploit IIS, then your
proxy will just pass it to IIS, and you'll still be compromised.

Cheers
Ken

"tony" wrote in message
news:eEi%23EySWIHA.1376@TK2MSFTNGP02.phx.gbl...
>I understand what you mean but security team basically is saying IIS is not
>secure, they will not open up port 80/443 to IIS. So we have linux proxies
>in front of IIS 6 that does redirects to the IIS6 servers. IIS6 servers are
>also on DMZ but firewall opens up only port 80/443 on the proxies. then
>linux redirects them to the IIS 6 servers.
>
> thanks
>
>
>
> "Ken Schaefer" wrote in message
> news:ed0bEINWIHA.2304@TK2MSFTNGP06.phx.gbl...
>> "tony" wrote in message
>> news:ey83dsKWIHA.4476@TK2MSFTNGP06.phx.gbl...
>>> what i mean is expose port 80 and 443 to the public. Is it safe.
>>
>> Safe against what, exactly? Nuclear bomb? no.
>>
>> Lots of companies run IIS 6.0 and have public websites. Like
>> Microsoft.com. So, the mere fact of exposing 80 and 443 doesn't
>> automatically make you insecure.
>>
>>> and would having front end apache proxies in front of the IIS 6 servers
>>> be an additional layer of security?
>>
>> What are these proxies doing? if they are just proxying requests verbatim
>> they are adding no security at all. Are these proxies doing some kind of
>> filtering? If not, you have gained nothing except additional
>> administrative overhead.
>>
>> But there is no such thing as "perfectly secure". There is only "less
>> secure" and "more secure" (i.e. degress of security). Additionally you
>> can be secure against a particular threat, but completely open to some
>> other threat. You need to work out what your security threats are.
>>
>> Cheers
>> Ken
>>
>>
>>> I am trying to convince management to take the linux web proxies out and
>>> open port 80/443 on the IIs servers instead
>>>
>>>
>>> "Ken Schaefer" wrote in message
>>> news:uAbeZcKWIHA.5396@TK2MSFTNGP02.phx.gbl...
>>>> Secure against what?
>>>>
>>>> Cheers
>>>> Ken
>>>>
>>>> "tony" wrote in message
>>>> news:%23ayaauAWIHA.4696@TK2MSFTNGP05.phx.gbl...
>>>>> how secure is it to have IIS 6 on dmz? do i need to be using apache
>>>>> web proxy at all?
>>>>>
>>>>
>>>
>>>
>>
>
>