Kbase P42805: Why does the NameServer have to be behind the firewall?
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
17/09/2003 |
|
Status: Unverified
GOAL:
Why does the NameServer have to be behind the firewall?
GOAL:
What is Progress's recommendation on where I should put the NameServer
GOAL:
Where should the NameServer reside?
FACT(s) (Environment):
WebSpeed
FIX:
Information from Progress White Paper;
Securing Your Progress® WebSpeed® Application with a Firewall
Well, primarily because today·s firewall software products provide much better protection than the software typically used on a standard router. In the WebSpeed Firewall Architecture (WFA), a host based PC or UNIX workstation is used to host the firewall software. This allows Web sites that cannot afford a lot of expensive hardware to implement this architecture effectively. However, the more complicated that your internal network is or the more money you have to spend, you might want to add the optional routers to the WFA, which is an outstanding way to add more levels of defense. One of the most important features of the WFA is the DMZ. Its job is to provide a medium security zone from which the WebServer and the WebSpeed messengers can be accessed from the outside network. Internet users can access these portions of the WebSpeed application, but cannot proceed to access the main portion of your WebSpeed application without using these components. If someone does get into your DMZ machine, your WebSpeed application data is safe on the inside network. The firewall is configured so that only the WebSpeed messengers themselves are allowed to talk with the inside network. This DMZ area is protected by the firewall, but doesn·t expose ports used to communicate to the inside (most secure) network to the outside (least secure) world.
The remainder of the WebSpeed application resides on the inside network. In the diagram, they all reside on one host machine. The WebSpeed NameServer can be moved to another host on the inside network, but be sure it remains on the inside network. The unified broker, agents, and applications should all reside on the inside network to gain the maximum amount of protection from the firewall.
More information can be found at;
http://psdn.progress.com/library/white_papers
Select WebSpeed and you will see a list of security articles.