Security Basics mailing list archives
Re: How to secure a webserver in a DMZ
From: Dennis Breithaupt <dennisb () tetaworx de>
Date: Fri, 05 May 2006 23:31:32 +0200
Saqib Ali schrieb:
If I understand your question correctly. Your webserver is in the in the DMZ, which is accessing the DB that is residing in a main firewalled intranet. This scenario is certianly possible, but will be vulnerable. If your webserver gets comprised, your DB is open as well.
ok, I agree with that.How easy would it be for an "advanced agressor" to load evil code (for ssh-over-https-tunneling i.e.) from the internet, if the only connection to the webserver is encrypted http inbound and outbound traffic is not allowed? Some dirty tricks with HTTP-POST maybe?
I would recommend instead of placing the web server in DMZ, place a reverse HTTP proxy in the DMZ, that talks to the HTTP server that reside inside your main firewall. This way if your reverse proxy server gets compromised, there will much much less chances of the webserver/DB being compromised.
I agree, too. But why should in theory a HTTP-backend-connection more secure, than a database-backend-connection?
If anybody was able to compromise the Reverse proxy over https, than he could even go further and compromise the backand webserver through tricky-http stuff also?
Of course 'security' can never be absolute and I think there're no 100% 'secure' or 100% 'insecure' constellations, but how can one get an understanding of how much 'more safe' a reverse proxy with a http-connection into the internal net is, than a database-backend connection from a presentation server?
-- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 -----------
Thanks again for your thoughts, Dennis
Current thread:
- How to secure a webserver in a DMZ Dennis Breithaupt (May 05)
- Re: How to secure a webserver in a DMZ Saqib Ali (May 08)
- Re: How to secure a webserver in a DMZ Dennis Breithaupt (May 08)
- Re: How to secure a webserver in a DMZ Saqib Ali (May 08)
- Re: How to secure a webserver in a DMZ Dennis Breithaupt (May 08)
- RE: How to secure a webserver in a DMZ Burton Strauss (May 08)
- Re: How to secure a webserver in a DMZ Saqib Ali (May 08)