Re: Web Services and Firewall/Network Architecture

["Darden, Patrick S." <darden () armc org>]

Here's what I would do (assuming I understood you correctly):
 
1.  put your new web server inside your LAN
2.  set up your firewall to PAT/NAT from ExtInt:80,443 to web server:443
3.  on your web server, make sure only HTTP/SSL traffic is allowed--lock it down
4.  make sure your programmers understand about buffer overflows, input sanitation, and the difference between 
whitelisting and blacklisting (i.e. secure by default)
5.  if you should be getting traffic from only one set of networks, you could lock down your firewall PAT/NAT rule a 
bit, and lock down your web server host rules a bit
 
You'll need a certificate (you can self-generate one, or you can get one from Thawte or Verisign).  Make sure you apply 
security patches in a timely manner (e.g. you could schedule 3am--4am every night for downtime/maintenance, and make 
sure you use that downtime).
 
At this point you have covered network security, host security, and application security--to an ethically reasonable 
degree.
 
--Patrick Darden

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com]On 
Behalf Of Ginski, Richard J
Sent: Thursday, March 20, 2008 2:29 PM
To: firewall-wizards () listserv icsalabs com
Subject: [fw-wiz] Web Services and Firewall/Network Architecture



Hi All,

 

There's talk in our org to directly interface one of our back-end servers to provide web services for external entities 
via the Internet. On the surface, this is a risky option for me. Although firewall "protected", I don't want a 
"protected device" directly interacting with web service "consumers" from the Internet. It sounds like a bad idea to me.

I have been searching around looking for sample diagrams (etc) on environments that support Web Services. I am trying 
to determine where stuff goes in this environment and how a firewall/DMZ fit into the picture. Can anyone point me to 
where info would be available for this? I've checked the archives for the past year and checked at OASIS, W3C, OWASP, 
and XML.com, with no luck. The "web services sites" focus on coding practices, coding architecture, and coding 
frameworks. Although very important, it's not the info I am looking for. We are trying to determine how web services 
fit in our environment using best practices in network design and network security to support web services. 

 

Any help would be greatly appreciated. TIA!

 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards