Re: How to secure a webserver in a DMZ

From: Dennis Breithaupt <dennisb@xxxxxxxxxxx>
Date: Fri, 05 May 2006 23:31:32 +0200

Saqib Ali schrieb:

If I understand your question correctly. Your webserver is in the in
the DMZ, which is accessing the DB that is residing in a main
firewalled intranet. This scenario is certianly possible, but will be
vulnerable. If your webserver gets comprised, your DB is open as well.

ok, I agree with that.

How easy would it be for an "advanced agressor" to load evil code (for ssh-over-https-tunneling i.e.) from the internet, if the only connection to the webserver is encrypted http inbound and outbound traffic is not allowed? Some dirty tricks with HTTP-POST maybe?

I would recommend instead of placing the web server in DMZ, place a
reverse HTTP proxy in the DMZ, that talks to the HTTP server that
reside inside your main firewall. This way if your reverse proxy
server gets compromised, there will much much less chances of the
webserver/DB being compromised.

I agree, too. But why should in theory a HTTP-backend-connection more secure, than a database-backend-connection?

If anybody was able to compromise the Reverse proxy over https, than he could even go further and compromise the backand webserver through tricky-http stuff also?

Of course 'security' can never be absolute and I think there're no 100% 'secure' or 100% 'insecure' constellations, but how can one get an understanding of how much 'more safe' a reverse proxy with a http-connection into the internal net is, than a database-backend connection from a presentation server?

--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

Thanks again for your thoughts,
Dennis

Follow-Ups:
- Re: How to secure a webserver in a DMZ
  - From: Saqib Ali

References:
- How to secure a webserver in a DMZ
  - From: Dennis Breithaupt
- Re: How to secure a webserver in a DMZ
  - From: Saqib Ali

Prev by Date: Risk from VPN client connections from enterprise network
Next by Date: RE: Suggestion for a Mac OS X Server Content Filter / Anti-Spam
Previous by thread: Re: How to secure a webserver in a DMZ
Next by thread: Re: How to secure a webserver in a DMZ
Index(es):
- Date
- Thread

Relevant Pages

Re: Verarbeiten von *grossen* HTTP-uploads
... Bei HTTP GET funktioniert das auch einwandfrei, ... dass mein cgilaunch die Daten vom Client liest ... und sie via pipe an das cgi-script weiterreichen und nach CONTENT_LENGTH ... Der Client spricht mit dem Webserver HTTP, ...
(de.comp.lang.perl.cgi)
RE: A Good Reverse Proxy Product
... a simple HTTP reverse proxy offers very little protection against ... a simple reverse proxy protects your web server (the OWA ... against attacks targeting HTTP or the web application itself. ...
(Security-Basics)
Scob infection statistics, etc..
... * we saw customers visiting the Russian URL's starting June 22. ... all sites are infected on both HTTP and HTTPS URL's ... that is what arin, apnic, and ripe are reporting. ... is either a poorly written worm or that the source of the webserver ...
(Incidents)
Scob infection statistics, etc..
... * we saw customers visiting the Russian URL's starting June 22. ... all sites are infected on both HTTP and HTTPS URL's ... that is what arin, apnic, and ripe are reporting. ... is either a poorly written worm or that the source of the webserver ...
(Bugtraq)
Scob infection statistics, etc..
... * we saw customers visiting the Russian URL's starting June 22. ... all sites are infected on both HTTP and HTTPS URL's ... that is what arin, apnic, and ripe are reporting. ... is either a poorly written worm or that the source of the webserver ...
(NT-Bugtraq)