NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
The disadvantages of a DMZ from a security standpoint are as follows:<br />
DoS attacks aimed at the <strong>Web</strong> server may have an effect <strong>on</strong> the internal network.<br />
Depending <strong>on</strong> the firewall c<strong>on</strong>figurati<strong>on</strong> c<strong>on</strong>trolling traffic between the DMZ and internal network, it<br />
may be possible for the <strong>Web</strong> server to be used to attack or compromise hosts <strong>on</strong> the internal network.<br />
In other words, protecti<strong>on</strong> offered by the DMZ depends in large part <strong>on</strong> the firewall c<strong>on</strong>figurati<strong>on</strong>.<br />
For organizati<strong>on</strong>s that support their own <strong>Web</strong> server, a DMZ is almost invariably the best opti<strong>on</strong>. It<br />
offers protecti<strong>on</strong> for the <strong>Web</strong> server and other externally accessible servers without exposing the internal<br />
network. However, it should <strong>on</strong>ly be c<strong>on</strong>sidered secure when employed in c<strong>on</strong>juncti<strong>on</strong> with the other<br />
steps discussed in this document.<br />
8.1.3 Outsourced Hosting<br />
Some organizati<strong>on</strong>s choose to outsource the hosting of their <strong>Web</strong> servers to a third party (e.g., an ISP,<br />
<strong>Web</strong> hosting service, or other government agency). In this case, the <strong>Web</strong> server would not be located <strong>on</strong><br />
the organizati<strong>on</strong>’s network. The hosting service network would have a dedicated network that hosts many<br />
<strong>Web</strong> servers (for many organizati<strong>on</strong>s) operating <strong>on</strong> a single network (see Figure 8-4).<br />
Figure 8-4. Outsourced <strong>Web</strong> Server Hosting<br />
From a security standpoint, the advantages of outsourcing are as follows:<br />
DoS attacks aimed at the <strong>Web</strong> server have no effect <strong>on</strong> the organizati<strong>on</strong>’s producti<strong>on</strong> network.<br />
Compromise of the <strong>Web</strong> server does not directly threaten the internal producti<strong>on</strong> network.<br />
The outsourcer may have greater knowledge of securing and protecting <strong>Web</strong> servers.<br />
8-4