Timothy Murphy wrote:
I still don't really see any great advantage
in running the web-server on a different machine to the firewall.
Can one not restrict the part of the computer
accessible through the web-server in a reasonably secure way?
You can certainly take efforts to keep your web server patched up and
secure (including web apps above and beyond the web server itself).
This will go far in keeping your box secure and should keep out the
"casual" attacker. It really comes down to the environment you are
running in and what you are trying to protect.
But if someone manages to exploit your system via your web server or app
you have installed and the attacker manages to get root, they own your
system now. Including tweaking your firewall ruleset to give them
further access to your network.
By keeping all unnecessary services off your firewall you reduce the
number of places an attacker can try to exploit - hopefully keeping your
firewall safer in the long run.
Again, it comes down to what you are trying to protect. I have on home
setups placed the web server on the firewall and just made sure to keep
everything up to date and be wary of what apps I run on the box based on
their past security track record.
-J