This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Published internal server through Web application firewall - How secure is this.

Hello,

today I had some discussions with my colleague. We need to publish a webserver via https to the internet (Windows 2012R2, IIS, aspx).

In my opinion the server should go into the DMZ and be published via web application firewall which would cause some problems e.g. because access patterns from one the remote site.

My colleague had the opinion that it would be even more secure to place it in the internal network and publish it via the web application firewall.

Of course the waf is much more secure than doing a port forwarding to port 443 of the server on the firewall.

But the question is - how secure? It is clear that someone manages to gain control of the websever would be in the internal network in one case and in the DMZ in the other case.

How hard is it to get control of a webserver with windows 2012 and IIS behind a web application firewall?

Best regards,
Bernd



This thread was automatically locked due to age.
Parents
  • I'm with you, Bernd.  Anything that can be reached from the Internet should be in a DMZ.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I'm with you, Bernd.  Anything that can be reached from the Internet should be in a DMZ.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data