This is a multi-part message in MIME format.

--===============0150370233==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C88AC1.B8E9A2FD"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C88AC1.B8E9A2FD
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Here's what I would do (assuming I understood you correctly):
=20
1. put your new web server inside your LAN
2. set up your firewall to PAT/NAT from ExtInt:80,443 to web server:443
3. on your web server, make sure only HTTP/SSL traffic is allowed--lock =
it down
4. make sure your programmers understand about buffer overflows, input =
sanitation, and the difference between whitelisting and blacklisting =
(i.e. secure by default)
5. if you should be getting traffic from only one set of networks, you =
could lock down your firewall PAT/NAT rule a bit, and lock down your web =
server host rules a bit
=20
You'll need a certificate (you can self-generate one, or you can get one =
from Thawte or Verisign). Make sure you apply security patches in a =
timely manner (e.g. you could schedule 3am--4am every night for =
downtime/maintenance, and make sure you use that downtime).
=20
At this point you have covered network security, host security, and =
application security--to an ethically reasonable degree.
=20
--Patrick Darden

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com =
[mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of =
Ginski, Richard J
Sent: Thursday, March 20, 2008 2:29 PM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] Web Services and Firewall/Network Architecture



Hi All,

=20

There's talk in our org to directly interface one of our back-end =
servers to provide web services for external entities via the Internet. =
On the surface, this is a risky option for me. Although firewall =
"protected", I don't want a "protected device" directly interacting with =
web service "consumers" from the Internet. It sounds like a bad idea to =
me.

I have been searching around looking for sample diagrams (etc) on =
environments that support Web Services. I am trying to determine where =
stuff goes in this environment and how a firewall/DMZ fit into the =
picture. Can anyone point me to where info would be available for this? =
I've checked the archives for the past year and checked at OASIS, W3C, =
OWASP, and XML.com, with no luck. The "web services sites" focus on =
coding practices, coding architecture, and coding frameworks. Although =
very important, it's not the info I am looking for. We are trying to =
determine how web services fit in our environment using best practices =
in network design and network security to support web services.=20

=20

Any help would be greatly appreciated. TIA!

=20


------_=_NextPart_001_01C88AC1.B8E9A2FD
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


"urn:schemas-microsoft-com:vml" xmlns =3D=20
"urn:schemas-microsoft-comfficeffice" xmlns:w =3D=20
"urn:schemas-microsoft-comffice:word" xmlns:x =3D=20
"urn:schemas-microsoft-comffice:excel" xmlns =3D=20
"urn:schemas-microsoft-comfficeowerpoint" xmlns:a =3D=20
"urn:schemas-microsoft-comffice:access" xmlns:dt =3D=20
"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s =3D=20
"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs =3D=20
"urn:schemas-microsoft-com:rowset" xmlns:z =3D "#RowsetSchema" xmlns:b =
=3D=20
"urn:schemas-microsoft-comfficeublisher" xmlns:ss =3D=20
"urn:schemas-microsoft-comffice:spreadsheet" xmlns:c =3D=20
"urn:schemas-microsoft-comffice:component:spreadsheet" xmlnsa =3D=20
"urn:schemas-microsoft-comffice:activation" xmlns:html =3D=20
"http://www.w3.org/TR/REC-html40" xmlns:q =3D=20
"http://schemas.xmlsoap.org/soap/envelope/" XMLNS =3D "DAV:" xmlns:x2 =
=3D=20
"http://schemas.microsoft.com/office/excel/2003/xml" xmlnsis =3D=20
"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir =3D=20
"http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds =3D=20
"http://www.w3.org/2000/09/xmldsig#" xmlns:dsp =3D=20
"http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc =3D=20
"http://schemas.microsoft.com/data/udc" xmlns:xsd =3D=20
"http://www.w3.org/2001/XMLSchema" xmlns:sub =3D=20
"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec =
=3D=20
"http://www.w3.org/2001/04/xmlenc#" xmlns:sp =3D=20
"http://schemas.microsoft.com/sharepoint/" xmlns:sps =3D=20
"http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi =3D=20
"http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf =3D=20
"http://schemas.microsoft.com/data/udc/xmlfile">
charset=3Diso-8859-1">







class=3D734141619-20032008>Here's=20
what I would do (assuming I understood you =
correctly):

 

class=3D734141619-20032008>1.  put your new web server inside your=20
LAN

class=3D734141619-20032008>2.  set up your firewall to PAT/NAT from =

ExtInt:80,443 to web server:443

class=3D734141619-20032008>3.  on your web server, make sure only =
HTTP/SSL=20
traffic is allowed--lock it down

class=3D734141619-20032008>4.  make sure your programmers =
understand about=20
buffer overflows, input sanitation, and the difference between =
whitelisting and=20
blacklisting (i.e. secure by default)

class=3D734141619-20032008>5.  if you should be getting traffic =
from only one=20
set of networks, you could lock down your firewall PAT/NAT rule a bit, =
and lock=20
down your web server host rules a bit

class=3D734141619-20032008> 

class=3D734141619-20032008>You'll=20
need a certificate (you can self-generate one, or you can get one from =
Thawte or=20
Verisign).  Make sure you apply security patches in a timely manner =
(e.g.=20
you could schedule 3am--4am every night for downtime/maintenance, and =
make sure=20
you use that downtime).

class=3D734141619-20032008> 

class=3D734141619-20032008>At=20
this point you have covered network security, host security, and =
application=20
security--to an ethically reasonable degree.

class=3D734141619-20032008> 

class=3D734141619-20032008>--Patrick Darden


face=3DTahoma=20
size=3D2>-----Original Message-----
From:=20
firewall-wizards-bounces@listserv.icsalabs.com=20
[mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of =

Ginski, Richard J
Sent: Thursday, March 20, 2008 2:29=20
PM
To: =
firewall-wizards@listserv.icsalabs.com
Subject:=20
[fw-wiz] Web Services and Firewall/Network =
Architecture



style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Hi=20
All,>>


style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">>


style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">There’s talk in =
our org to=20
directly interface one of our back-end servers to provide web services =
for=20
external entities via the Internet. On the surface, this is a risky =
option for=20
me. Although firewall “protected”, I don’t want a =
“protected device” directly=20
interacting with web service “consumers” from the =
Internet. It sounds like a=20
bad idea to me.>>


style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">I have been searching =
around=20
looking for sample diagrams (etc) on environments that support Web =
Services. I=20
am trying to determine where stuff goes in this environment and how a=20
firewall/DMZ fit into the picture. Can anyone point me to where info =
would be=20
available for this? I’ve checked the archives for the past year =
and checked at=20
OASIS, W3C, OWASP, and XML.com, with no luck. The “web services =
sites” focus=20
on coding practices, coding architecture, and coding frameworks. =
Although very=20
important, it’s not the info I am looking for. We are trying to =
determine how=20
web services fit in our environment using best practices in network =
design and=20
network security to support web services. =
>>


style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">>


style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Any help would be =
greatly=20
appreciated. TIA!>>


style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">>

L>

------_=_NextPart_001_01C88AC1.B8E9A2FD--

--===============0150370233==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============0150370233==--