Security Basics mailing list archives
RE: How to secure a webserver in a DMZ
From: "Burton Strauss" <Burton () FelisCatus org>
Date: Fri, 5 May 2006 12:03:03 -0500
Put a specific firewall in there between the DMZ DBMS client and the Internal DBMS server. That is punch though the firewall ONLY for specific DBMS port (e.g. 3306 for MySQL, etc.) between those two specific machines. -----Burton -----Original Message----- From: Dennis Breithaupt [mailto:dennisb () tetaworx de] Sent: Friday, May 05, 2006 2:41 AM To: security-basics Subject: How to secure a webserver in a DMZ Hello, my question seems to be a really basic one: What are the security best practices to secure a linux-based Web/application server, let's say Apache/Tomcat, with access to a database backend in a corporate DMZ from a firewall point of view? We want to make an internal database based application to be available for road warriors using PDAs through a normal https-connection. So we want to place the (presentation-)server into an DMZ behind our firewall, allowing only tcp/443 (or even limited to "ENC-HTTP", using applicationlevel features from i.e. Checkpoint FW) from the outside and only relevant services, as i.e. read-only database connections, ldap-connections for authentication from the DMZ through the firewall to the inside net. The key is, that it is not possible to mirror or actively push all relevant data from the core into the DMZ, so the DMZ-server has to open connections actively from the DMZ to some core database and also authentication servers. So there is a possible attack szenario, that the presentationserver could be compromised and then the intruder could use the allowed connections into the core. How would you solve such a situation? Is it generally speaking ok for a DMZ-located server to open connections into the core or should this never be possible? Regards, -Dennis
Current thread:
- How to secure a webserver in a DMZ Dennis Breithaupt (May 05)
- Re: How to secure a webserver in a DMZ Saqib Ali (May 08)
- Re: How to secure a webserver in a DMZ Dennis Breithaupt (May 08)
- Re: How to secure a webserver in a DMZ Saqib Ali (May 08)
- Re: How to secure a webserver in a DMZ Dennis Breithaupt (May 08)
- RE: How to secure a webserver in a DMZ Burton Strauss (May 08)
- Re: How to secure a webserver in a DMZ Saqib Ali (May 08)