This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Published internal server through Web application firewall - How secure is this.

Hello,

today I had some discussions with my colleague. We need to publish a webserver via https to the internet (Windows 2012R2, IIS, aspx).

In my opinion the server should go into the DMZ and be published via web application firewall which would cause some problems e.g. because access patterns from one the remote site.

My colleague had the opinion that it would be even more secure to place it in the internal network and publish it via the web application firewall.

Of course the waf is much more secure than doing a port forwarding to port 443 of the server on the firewall.

But the question is - how secure? It is clear that someone manages to gain control of the websever would be in the internal network in one case and in the DMZ in the other case.

How hard is it to get control of a webserver with windows 2012 and IIS behind a web application firewall?

Best regards,
Bernd



This thread was automatically locked due to age.
  • Hi Bernd,

    UTM's WAF provides several security features to make it difficult to gain control:


    Static URL hardening: Protects against URL rewriting
    Form hardening: Protects against web form rewriting
    Cookie signing: Protects a webserver against manipulated cookies
    Blocks clients with bad reputation: based on GeoIP and RBL
    Common threats filter: protocol violations, protocol anomalies, request limits, http policy, bad robots, generic attacks, SQL injection attacks, XSS attacks, trojans, outbound (prevents webservers from leaking info to client)
    Antivirus scanning: single or dual scan
    Block uploads by MIME type or unscannable content

    For further details on WAF features, on your UTM WebAdmin, click the Help (?) button on the top right for detailed explanations of the features.

    Cheers,

    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • I'm with you, Bernd.  Anything that can be reached from the Internet should be in a DMZ.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA