I too am looking at the same configuration and am curious what experiences others may of had? Any really gotchas? Roy -----Original Message----- From: Ken Lui [mailto:Ken.Lui@gov.edmonton.ab.ca] Sent: Tuesday, July 24, 2001 9:06 AM To: 'firewalls@lists.gnac.net' Subject: Safe to put Web server inside with reverse proxy server in DMZ? The latest Code Red worm going around and targeting web server directly. Many site didn't apply the patch were caught off guard. That make us rethink where is the better place for the web server. 1. Keep the web server in DMZ and let it serve the request directly or 2. keep it in the internal network and use a reverse proxy (such as Netscape or MS ISA server) in DMZ. There are concerns with the way that proxy server works. Some even suggested that proxy server does not provide additional protection against buffer overflow. It is even more dangerous if the web server is behind the firewall. Once the web server is hacked, the entire network is at risk. But proxy servers are in fact a security device, especially ISA server claims itself being the full feature firewall. Their documentation suggests it is safe to use reverse proxy service (they called it web publishing) to allow external web access to an internal web server. How can that be if it doesn't provide any protection against buffer overflow? Do I miss anything? Hope someone can shine some light into this. Ken _______________________________________________ Firewalls mailing list Firewalls@lists.gnac.net http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list Firewalls@lists.gnac.net http://lists.gnac.net/mailman/listinfo/firewalls