4 Check Point VPN-1/FireWall-1 on AIX: A Cookbook for Stand-Alone and High Availability Solutions
For example, if the company's public Web server is placed within the internal
network, the firewall needs to be configured to allow HTTP connections to this
system, so that everyone can get to the Web pages.
If the Web server contains security holes (due to software bugs, configuration
errors, insecure dynamic content, or any one of many other possible causes),
an attacker can gain full access to the Web server system. The firewall can
not prevent the attacker from leveraging this access to access other systems
within one security zone (in other words, the internal network).
Experience shows that it is not realistic to expect complex server software
(such as Web servers) to be free of security holes. Major companies and
government institutions (such as NATO, whitehouse.gov, and so on) have
frequently been victim to these kinds of attacks. Everyday, new security holes
are found and shared in the underground by hackers, and knowledge of this is
delayed on public Internet sites, which can cause unknown security breaches.
For more information on the phenomenon, see:
Placing important servers outside the firewall in the external network is not
recommended either, since they then cannot be protected by the firewall
More security can be gained by introducing a perimeter network placing
servers in them. This is known as a Demilitarized Zone (DMZ). The classical
DMZ setup has two firewalls and a DMZ server network between them, as
shown in Figure 2 on page 5.