Re: How to secure a webserver in a DMZ

[Dennis Breithaupt <dennisb () tetaworx de>]

Saqib Ali schrieb:
> If I understand your question correctly. Your webserver is in the in
> the DMZ, which is accessing the DB that is residing in a main
> firewalled intranet. This scenario is certianly possible, but will be
> vulnerable. If your webserver gets comprised, your DB is open as well.

ok, I agree with that.

How easy would it be for an "advanced agressor" to load evil code (for 
ssh-over-https-tunneling i.e.) from the internet, if the only connection 
to the webserver is encrypted http inbound and outbound traffic is not 
allowed? Some dirty tricks with HTTP-POST maybe?

> I would recommend instead of placing the web server in DMZ, place a
> reverse HTTP proxy in the DMZ, that talks to the HTTP server that
> reside inside your main firewall. This way if your reverse proxy
> server gets compromised, there will much much less chances of the
> webserver/DB being compromised.

I agree, too. But why should in theory a HTTP-backend-connection more 
secure, than a database-backend-connection?

If anybody was able to compromise the Reverse proxy over https, than he 
could even go further and compromise the backand webserver through 
tricky-http stuff also?

Of course 'security' can never be absolute and I think there're no 100% 
'secure' or 100% 'insecure' constellations, but how can one get an 
understanding of how much 'more safe' a reverse proxy with a 
http-connection into the internal net is, than a database-backend 
connection from a presentation server?

> --
> Saqib Ali, CISSP, ISSAP
> Support http://www.capital-punishment.net
> -----------
> "I fear, if I rebel against my Lord, the retribution of an Awful Day
> (The Day of Resurrection)" Al-Quran 6:15
> -----------

Thanks again for your thoughts,
Dennis