Re: DMZ and critical data

[Mohammad Ali Sarbanha <sarbanha () tkckish co ir>]

Hi Brian, Pedro,
   Thanks for your valuable information, but I'm not sure if virtual 
machine can help in this issue, suppose if a hacker can remotely execute 
a code on your server and gain control of your server (even partially) 
he might be able to breach into your database as well. This would also 
make many limitations while extending the infrastructure.

Snapshots are sometimes valuable but it depends on the stored data. 
Becasue, losing the data can be recovered by a backup restoration but 
the damage of divulged information is sometimes irrecoverable, i.e. 
credit card information.

Another method is to proxy the webserver! both webserver and database 
server can be kept on intranet and a proxy server can be installed on 
DMZ to allow Internet users being able to access corporate intranet 
webserver. Some more tricks on the firewall (usuing NAT and PAT) would 
enable you to make conectivity between proxy server and internal webserver.

The advantage of this method is that you still have your critical 
servers directly inaccessible to the Internet and if you face any 
problem with your proxy your information is still behind the closed 
doors! In worst case, if a hacker breachs into your proxy server he 
still have a long way to get into your internal network.

Kind Regards,
Mohammad-Ali



Brian J. Bartlett wrote:

> Hi Pedro,
>         " My sugestion is to put a webserver in the internal network and
> configure a Vpn, but it is not possible for the client."  I'm a bit
> mystified that they can not use a VPN given that free solutions do exist but
> given that restriction, and not to add to the other proposed solutions, I
> can see two other available approaches.
>         The first is to have a second DMZ that is connected only to the
> first with appropriate port and network IP address restrictions so that only
> the web-based application server can access it.  You would need to make sure
> that it is backed up very regularly in case the web-based application server
> gets cracked (hacked), which seems to happen with all too much regularity
> these days.  Log mirroring to an internal network host would be highly
> suggested.  I would also take advantage of network monitoring, with
> appropriate filters, to monitor traffic between the web-based application
> server and the file and database server.
>         Another approach which I have been playing with for the last couple
> of years is to host the critical file and database server on a virtual
> machine that is only accessible on the VM internal network from the
> web-based application server.  In many ways this is no different from using
> a second DMZ and you still face the problem of the web-based application
> server being cracked (hacked) but there is one significant difference.  It
> is very easy to use scheduled snapshots and/or differencing to do the
> backups so that very little is lost if/when the worst occurs.  True, you do
> need a bit of heft to the host, but many servers today have quite a bit of
> headroom now.  Mine certainly does, it barely reaches 3% utilization and it
> is running three databases (SQL Server 2000 SP4, SQL Server 2005 SP1,
> Progressive SQL).  Even virtualized, there are more than enough resources to
> go around on this three year old, single CPU 2.8 GHz Pentium 4, 1 GB RAM
> machine.  This approach also simplifies restoration and works quite well
> with LDAP, DNS, and other critical servers, especially as there are now
> administrative tools that allow you to migrate the virtual machines to
> another machine should the host server fail.  Lastly, I would also take
> advantage of network traffic monitoring.
>         Given how many of the virtualization products are becoming available
> for free, and the much lower hardware costs today, it's an approach whose
> time has come, I believe.
>
>
> -Bri
>
>
> -----Original Message-----
> From: Pedro Henrique Morsch Mazzoni [mailto:phmazzoni () gmail com] 
> Sent: Friday, July 07, 2006 7:23 AM
> To: webappsec () securityfocus com
> Subject: DMZ and critical data
>
> Hello,
>
> I am doing a project of network security to a friend of mine.
> We will do a back-to-back DMZ, with a external and a internat firewall.
> In our project, only the web and mail servers stay in DMZ.
> But the company wants to access a webbased application from the internet.
> The webserver needs access to a file and a database server, but the
> data on this server is critical.
> My sugestion is to put a webserver in the internal network and
> configure a Vpn, but it is not possible for the client.
> I don´t want to put the file and database servers on the DMZ, put if I
> put it on the internal network the webserver on the DMZ has to access
> the server, wich compromises my security.
>
> Any sugestions?
>
> Pedro Mazzoni
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Securing a web application goes far beyond testing the application using 
> manual processes, or by using automated systems and tools. Watchfire's 
> "Web Application Security: Automated Scanning or Manual Penetration 
> Testing?" whitepaper examines a few vulnerability detection methods - 
> specifically comparing and contrasting manual penetration testing with 
> automated scanning tools. Download it today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
> --------------------------------------------------------------------------
>
>
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Securing a web application goes far beyond testing the application using 
> manual processes, or by using automated systems and tools. Watchfire's 
> "Web Application Security: Automated Scanning or Manual Penetration 
> Testing?" whitepaper examines a few vulnerability detection methods - 
> specifically comparing and contrasting manual penetration testing with 
> automated scanning tools. Download it today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
> --------------------------------------------------------------------------
>
>  



-------------------------------------------------------------------------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application using
manual processes, or by using automated systems and tools. Watchfire's
"Web Application Security: Automated Scanning or Manual Penetration
Testing?" whitepaper examines a few vulnerability detection methods -
specifically comparing and contrasting manual penetration testing with
automated scanning tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------