IIS and Firewall Architecture
The concept of a firewall is fairly straightforward. Any problems are in the area of security policy development. Always remember that the harder you make it to break into a system, the more difficult it is to use and administer. Because IIS is tightly integrated with the NT security system, it is at least as good as the NT system itself. On top of that, IIS adds extra capabilities, such as IP inclusion/restriction for the three basic services (World Wide Web, FTP, and Gopher). Even
A firewall should be able to do complete packet filtering. This is where each basic IP message is questioned and permitted to pass to the internal or external system, based on a series of rules. Currently, the number of different firewall systems to chose from is still low. Those that are in place require a great deal of overhead. One example is the firewall system for NT by Raptor Software. This product cannot run concurrently with Remote Access Service, and it requires at least a Pentium processor and 32MB of RAM. Likewise, a firewall should be completely independent of the internal system, which requires an extra, independent processing system.
A good firewall consists of several forms of filtering. Therefore, some people argue that NT security and the limited packet filtering provided by IIS constitute a firewall. The problem with this point of view is that IIS does not involve the absolute ability to control access, but rather is one of management. It is difficult to maintain an effective security policy if two separate systems implement the security policies of your organization.
Internet FAQ top