WebApp Sec mailing list archives
RE: DMZ and critical data
From: "Brian J. Bartlett" <security () netblackops com>
Date: Sun, 9 Jul 2006 07:57:13 -0700
Hi Pedro, " My sugestion is to put a webserver in the internal network and configure a Vpn, but it is not possible for the client." I'm a bit mystified that they can not use a VPN given that free solutions do exist but given that restriction, and not to add to the other proposed solutions, I can see two other available approaches. The first is to have a second DMZ that is connected only to the first with appropriate port and network IP address restrictions so that only the web-based application server can access it. You would need to make sure that it is backed up very regularly in case the web-based application server gets cracked (hacked), which seems to happen with all too much regularity these days. Log mirroring to an internal network host would be highly suggested. I would also take advantage of network monitoring, with appropriate filters, to monitor traffic between the web-based application server and the file and database server. Another approach which I have been playing with for the last couple of years is to host the critical file and database server on a virtual machine that is only accessible on the VM internal network from the web-based application server. In many ways this is no different from using a second DMZ and you still face the problem of the web-based application server being cracked (hacked) but there is one significant difference. It is very easy to use scheduled snapshots and/or differencing to do the backups so that very little is lost if/when the worst occurs. True, you do need a bit of heft to the host, but many servers today have quite a bit of headroom now. Mine certainly does, it barely reaches 3% utilization and it is running three databases (SQL Server 2000 SP4, SQL Server 2005 SP1, Progressive SQL). Even virtualized, there are more than enough resources to go around on this three year old, single CPU 2.8 GHz Pentium 4, 1 GB RAM machine. This approach also simplifies restoration and works quite well with LDAP, DNS, and other critical servers, especially as there are now administrative tools that allow you to migrate the virtual machines to another machine should the host server fail. Lastly, I would also take advantage of network traffic monitoring. Given how many of the virtualization products are becoming available for free, and the much lower hardware costs today, it's an approach whose time has come, I believe. -Bri -----Original Message----- From: Pedro Henrique Morsch Mazzoni [mailto:phmazzoni () gmail com] Sent: Friday, July 07, 2006 7:23 AM To: webappsec () securityfocus com Subject: DMZ and critical data Hello, I am doing a project of network security to a friend of mine. We will do a back-to-back DMZ, with a external and a internat firewall. In our project, only the web and mail servers stay in DMZ. But the company wants to access a webbased application from the internet. The webserver needs access to a file and a database server, but the data on this server is critical. My sugestion is to put a webserver in the internal network and configure a Vpn, but it is not possible for the client. I don´t want to put the file and database servers on the DMZ, put if I put it on the internal network the webserver on the DMZ has to access the server, wich compromises my security. Any sugestions? Pedro Mazzoni ------------------------------------------------------------------------- Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- DMZ and critical data Pedro Henrique Morsch Mazzoni (Jul 08)
- Re: DMZ and critical data 蓝牙 (Jul 09)
- RE: DMZ and critical data Brian J. Bartlett (Jul 09)
- Re: DMZ and critical data Mohammad Ali Sarbanha (Jul 09)
- Intrusion Detection David Robert (Jul 09)
- Re: Intrusion Detection Ivan Ristic (Jul 10)
- Re: Intrusion Detection Jamie Riden (Jul 10)
- Re: Intrusion Detection Daniel Cid (Jul 11)
- Re: Intrusion Detection David Ryan (Jul 12)
- Re: Intrusion Detection skarvin (Jul 12)
- <Possible follow-ups>
- Re: DMZ and critical data sarbanha (Jul 09)
- Message not available
- Re: DMZ and critical data Ken Adler - QDSP, CISSP, PMP, CISA (Jul 09)
- Message not available