WebApp Sec mailing list archives
Re: DMZ and critical data
From: Mohammad Ali Sarbanha <sarbanha () tkckish co ir>
Date: Mon, 10 Jul 2006 08:41:43 +0330
Hi Brian, Pedro,Thanks for your valuable information, but I'm not sure if virtual machine can help in this issue, suppose if a hacker can remotely execute a code on your server and gain control of your server (even partially) he might be able to breach into your database as well. This would also make many limitations while extending the infrastructure.
Snapshots are sometimes valuable but it depends on the stored data. Becasue, losing the data can be recovered by a backup restoration but the damage of divulged information is sometimes irrecoverable, i.e. credit card information.
Another method is to proxy the webserver! both webserver and database server can be kept on intranet and a proxy server can be installed on DMZ to allow Internet users being able to access corporate intranet webserver. Some more tricks on the firewall (usuing NAT and PAT) would enable you to make conectivity between proxy server and internal webserver.
The advantage of this method is that you still have your critical servers directly inaccessible to the Internet and if you face any problem with your proxy your information is still behind the closed doors! In worst case, if a hacker breachs into your proxy server he still have a long way to get into your internal network.
Kind Regards, Mohammad-Ali Brian J. Bartlett wrote:
Hi Pedro, " My sugestion is to put a webserver in the internal network and configure a Vpn, but it is not possible for the client." I'm a bit mystified that they can not use a VPN given that free solutions do exist but given that restriction, and not to add to the other proposed solutions, I can see two other available approaches. The first is to have a second DMZ that is connected only to the first with appropriate port and network IP address restrictions so that only the web-based application server can access it. You would need to make sure that it is backed up very regularly in case the web-based application server gets cracked (hacked), which seems to happen with all too much regularity these days. Log mirroring to an internal network host would be highly suggested. I would also take advantage of network monitoring, with appropriate filters, to monitor traffic between the web-based application server and the file and database server. Another approach which I have been playing with for the last couple of years is to host the critical file and database server on a virtual machine that is only accessible on the VM internal network from the web-based application server. In many ways this is no different from using a second DMZ and you still face the problem of the web-based application server being cracked (hacked) but there is one significant difference. It is very easy to use scheduled snapshots and/or differencing to do the backups so that very little is lost if/when the worst occurs. True, you do need a bit of heft to the host, but many servers today have quite a bit of headroom now. Mine certainly does, it barely reaches 3% utilization and it is running three databases (SQL Server 2000 SP4, SQL Server 2005 SP1, Progressive SQL). Even virtualized, there are more than enough resources to go around on this three year old, single CPU 2.8 GHz Pentium 4, 1 GB RAM machine. This approach also simplifies restoration and works quite well with LDAP, DNS, and other critical servers, especially as there are now administrative tools that allow you to migrate the virtual machines to another machine should the host server fail. Lastly, I would also take advantage of network traffic monitoring. Given how many of the virtualization products are becoming available for free, and the much lower hardware costs today, it's an approach whose time has come, I believe. -Bri -----Original Message-----From: Pedro Henrique Morsch Mazzoni [mailto:phmazzoni () gmail com] Sent: Friday, July 07, 2006 7:23 AMTo: webappsec () securityfocus com Subject: DMZ and critical data Hello, I am doing a project of network security to a friend of mine. We will do a back-to-back DMZ, with a external and a internat firewall. In our project, only the web and mail servers stay in DMZ. But the company wants to access a webbased application from the internet. The webserver needs access to a file and a database server, but the data on this server is critical. My sugestion is to put a webserver in the internal network and configure a Vpn, but it is not possible for the client. I don´t want to put the file and database servers on the DMZ, put if I put it on the internal network the webserver on the DMZ has to access the server, wich compromises my security. Any sugestions? Pedro Mazzoni ------------------------------------------------------------------------- Sponsored by: WatchfireSecuring a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: WatchfireSecuring a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- DMZ and critical data Pedro Henrique Morsch Mazzoni (Jul 08)
- Re: DMZ and critical data 蓝牙 (Jul 09)
- RE: DMZ and critical data Brian J. Bartlett (Jul 09)
- Re: DMZ and critical data Mohammad Ali Sarbanha (Jul 09)
- Intrusion Detection David Robert (Jul 09)
- Re: Intrusion Detection Ivan Ristic (Jul 10)
- Re: Intrusion Detection Jamie Riden (Jul 10)
- Re: Intrusion Detection Daniel Cid (Jul 11)
- Re: Intrusion Detection David Ryan (Jul 12)
- Re: Intrusion Detection skarvin (Jul 12)
- <Possible follow-ups>
- Re: DMZ and critical data sarbanha (Jul 09)
- Message not available
- Re: DMZ and critical data Ken Adler - QDSP, CISSP, PMP, CISA (Jul 09)
- Message not available