Web Server behind Firewall

This message was a response to one of our technicians who was fielding a question from a customer. The customer wanted to know if his web site (hosted at our facility) was behind a firewall.

No, it's not, and that should generally not cause him any concern.  Even in
an environment with a firewall, public web servers (and other servers which
provide services to outside Internet users) are normally left outside the
firewall.

Unless there is private data on it (such as customer credit card numbers),
the only risk to exposing it that way is defacement, where someone alters
your web page.  This is easily dealt with, much as you would handle a disk
failure.

The alternative is as you described, putting it behind a firewall and passing
HTTP traffic through it.  This is actually riskier.  If an attacker can
compromise your web server, he or she then has control of a machine inside
your firewall.  The ability of the firewall to block an HTTP attack passing
through it is somewhat limited, and varies with the type of firewall and the
type of attack.

It might be worth noting that there are packet filters in place on the router
that protect the web server.  Only HTTP and FTP traffic is allowed through to
the web server.