Re: SSL / VPN ??
SSL won't be of any help if there's another exploit against IIS servers. If
someone can get to the IIS server and there's an exploit, SSL won't do
anything except encrypt their exploit traffic.
SSL helps to encrypt the data but won't help to make the IIS server any more
secure. SSL helps under normal usage conditions but an attacker will try to
do something abnormal to create an unexpected condition. The firewall can
help but since you have to allow traffic to the IIS server it won't help
against this type of attack.
The firewall should limit traffic that can get to the IIS server and it
should also limit traffic that can originate *from* the IIS server. In other
words, inbound *and* outbound filtering. I would recommend that you create
rules on the firewall such that the IIS server cannot initiate any
connections to the outside world except to windowsupdate. This means that
you have to have an internal DNS resolver too.
One idea would be to place a reverse proxy built on Squid or Pound in front
of the IIS server. Doing this you effectively make it so that no real-world
traffic ever touches the IIS server which is a good thing due to the boringly
trivial exploits that have historically plagued IIS.
Also, look at Nikto as a quick means to assess the security of the web
server. Use Microsoft's MBSA to assess the IIS server patch level.
Hope this helps.
Steve
On Thu, Apr 22, 2004 at 12:37:38PM +0200, Craig Schneider wrote:
> Hi Guys
>
> I have a question about securing web traffic through a Linux based
> firewall doing port forwarding to an internal IIS web server.
>
> Due to the fact that this IIS server is exposed to the internet, we
> obviously need to secure it as best we can.
>
> IIS uses https but I'm not sure this is enough or whether perhaps
> another method of encrypting traffic might be safer.
>
> Any suggestions are welcomed at this point.
>
> Thanks
> Craig
Reply to: