Hello,
today I had some discussions with my colleague. We need to publish a webserver via https to the internet (Windows 2012R2, IIS, aspx).
In my opinion the server should go into the DMZ and be published via web application firewall which would cause some problems e.g. because access patterns from one the remote site.
My colleague had the opinion that it would be even more secure to place it in the internal network and publish it via the web application firewall.
Of course the waf is much more secure than doing a port forwarding to port 443 of the server on the firewall.
But the question is - how secure? It is clear that someone manages to gain control of the websever would be in the internal network in one case and in the DMZ in the other case.
How hard is it to get control of a webserver with windows 2012 and IIS behind a web application firewall?
Best regards,
Bernd
This thread was automatically locked due to age.