What you have said is true, but we agree to a point - all servers should be behind firewalls. Your setup works great, and I agree that having a "mirror" prevents corruption of internal data, it does prevent you from using a web application from updating anything. You are restricted to read-only. Also, the goal of a firewall is not just to provide an IP-level barrier between machines, but to also control and monitor the data passing through it. Many firewalls have the capability to "filter" out packets that are corrupted, etc. (which forms the basis for many port 80 attacks). Also, using the same DB server for both web content and sensitive internal data isn't the wisest thing to either. If your application *is* only read-only, then you can set up a read-only data connection between the DB server and the web server, again preventing corruption of that data from the web server. Glenn Hunt ghunt at hds.ca -----Original Message----- From: thelist-admin at lists.evolt.org [mailto:thelist-admin at lists.evolt.org] On Behalf Of Ron_Senykoff at BEAEROSPACE.COM Sent: Thursday, September 20, 2001 2:33 PM To: thelist at lists.evolt.org Subject: RE: [thelist] Firewalls vs. Web Databases <snip> The best for security is definitely everything behind the firewall </snip> I disagree. It is definitely better... but in this case I would suggest 2 firewalls. One for the DMZ and one protecting the internal network. If everything is behind one firewall, then you have to leave ports open. Leaving ports open on the firewall leaves ways for an attacker to come in. We currently run 2 webservers, one inside the firewall and one outside (in the DMZ). We have one-way replication set up so that the internal server pushes changes to external. Even if an attacker got into the external box and screwed it up, we still have our data and can rebuild with minimal effort. Having a server 'internal' with port 80 open... then a hacker attacks it on port 80. The way applications are becoming more and more 'web-enabled' the more things are left open by port 80. I've seen many companies that have an intranet that is accessible from outside -- via port 80. They think "because it's behind a firewall its safe," yet they left the door open. I was poking around with a few Notes vulnerabilities and found that I was looking at HR information, internal job postings, help-desk applications... Ron Senykoff --------------------------------------- For unsubscribe and other options, including the Tip Harvester and archive of TheList go to: http://lists.evolt.org Workers of the Web, evolt !