Re: [fw-wiz] Web Services and Firewall/Network Architecture



Here's what I would do (assuming I understood you correctly):

1. put your new web server inside your LAN
2. set up your firewall to PAT/NAT from ExtInt:80,443 to web server:443
3. on your web server, make sure only HTTP/SSL traffic is allowed--lock it down
4. make sure your programmers understand about buffer overflows, input sanitation, and the difference between whitelisting and blacklisting (i.e. secure by default)
5. if you should be getting traffic from only one set of networks, you could lock down your firewall PAT/NAT rule a bit, and lock down your web server host rules a bit

You'll need a certificate (you can self-generate one, or you can get one from Thawte or Verisign). Make sure you apply security patches in a timely manner (e.g. you could schedule 3am--4am every night for downtime/maintenance, and make sure you use that downtime).

At this point you have covered network security, host security, and application security--to an ethically reasonable degree.

--Patrick Darden

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of Ginski, Richard J
Sent: Thursday, March 20, 2008 2:29 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Web Services and Firewall/Network Architecture



Hi All,



There's talk in our org to directly interface one of our back-end servers to provide web services for external entities via the Internet. On the surface, this is a risky option for me. Although firewall "protected", I don't want a "protected device" directly interacting with web service "consumers" from the Internet. It sounds like a bad idea to me.

I have been searching around looking for sample diagrams (etc) on environments that support Web Services. I am trying to determine where stuff goes in this environment and how a firewall/DMZ fit into the picture. Can anyone point me to where info would be available for this? I've checked the archives for the past year and checked at OASIS, W3C, OWASP, and XML.com, with no luck. The "web services sites" focus on coding practices, coding architecture, and coding frameworks. Although very important, it's not the info I am looking for. We are trying to determine how web services fit in our environment using best practices in network design and network security to support web services.



Any help would be greatly appreciated. TIA!



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: disconnect a hacker
    ... My Web server station is right next ... my attention divided by security concerns... ... see an IP connected to port 80, ... I've been forwarding my firewall logs to my ISP, ...
    (alt.computer.security)
  • Re: Firewall on server itself
    ... Perhaps the iptables could defend against an intruder who is already ... Firewall vender specific vulnerabilities ... >> be configured to protect the web server as well other computers on ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • Re: [fw-wiz] Using SSL accelerators in firewalls
    ... It also depends on what you're using your SSL for, and how tightly you can couple ... your firewall with your web application. ... web server don't have to be very aware of each other. ... >> lost in the process and the security of transactions eroded. ...
    (Firewall-Wizards)
  • Re: Web Server not allowing external visitors
    ... | use NATD function of firewall. ... I did all this and lost all access to the internet from the other LAN ... As the Web Server at the moment then is on my FreeBSD machine I do not need ...
    (freebsd-questions)
  • Re: Web server behind Symantec Enterprise Firewall
    ... I've published a virtual IP at the Firewall to which i route the http ... NAT rule AccesoServer was chosen, but client transparency is ... Since the web server is on the LAN, you shouldn't have to add any route ...
    (comp.security.firewalls)