Your Web Servers from Attack
Increasingly business are relying on Web technology
to reach customers, partners, and employees. Whether the Web Servers
are supporting Intranet, Internet, or Extranet applications they
have become part of your critical infrastructure. Whether the Web
Servers are accessible from the Internet or restricted to closed
corporate networks, they are vulnerable to attack.
Using a WSA to isolate a single Web Server or a Web Server farm
from the network (Internet, private network, or LAN) can reduce
the Servers' vulnerability without affecting the Servers' ability
to support your business. Please consider the following:
The WSA offers the maximum level of protection in those situation
when you need access control for the entire Web Site. In this
case, only authenticated, authorized users can get a packet
through the WSA to the Web Servers. Therefore, the community
with the ability to attack your server is highly restricted
and in many cases well-known by you.
The WSA also includes a set of firewall rules, which are especially
suited for controlling the traffic to and from Web Servers.
For each type of traffic (e.g. UDP, broadcast, etc.) the WSA
administrator can select whether or not the traffic can flow
to or from the Server. The WSA firewall features protect the
Web Server(s) from attacks that leaked through perimeter firewalls
or attacks originating within the local network.
The WSA terminates all TCP connections with the browsers. Under
typical configurations, the WSA does not allow external TCP
connections directly to the Web Server(s). This means that the
WSA terminates most of the common denial of service attacks,
and the attacks will never reach the Server(s). The WSA is especially
designed to shed packets from most common denial of service
For additional discussion on the WSA's role in protecting your
Web Servers, please see the white paper: Security
Benefits of the WSA.