Solved

DMZ vs Reverse Proxy

Posted on 2004-03-25
2
3,585 Views
Last Modified: 2012-05-04
In the past, our company has had our web site hosted off site.  We are in the process of setting up a web server in house and doing our own hosting.  We are having an internal disagreement about the value of having a DMZ vs. using a reverse proxy.

One school of thought is to set up the web server and the database server inside a DMZ.  The other is to put the web server inside the LAN and protect it by using reverse proxy and to use the existing production DB server as the web DB server.

We will be running IIS, SQL Server, and use BorderManager as our firewall.

Any input will be greatly appreciated.

Thanks in advance,
HawkeyeNash
0
Comment
Question by:HawkeyeNash
2 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10686258
Hi hawkeye
I suggest a combination of the 2. I would put a reverse proxy in a dmz. This DMZ I will call DMZ-Public.
DMZ-Public is the only DMZ that can be accessed directly from outside, well passing the firewall ofcourse.
Then I would place the Webserver another DMZ called DMZ-Webserver, and if you do not have enough network cards or whatever you could put the DB server in the same DMZ as your web server but if possible I would put in another DMZ or internal. Because you run IIS I highly recommend putting a reverse proxy and seperate the machine from your LAN.
WHy :
Well if you do my proposition your traffic is filtered inbound and outbound. Meaning that traffic from your reverse proxy to your webserver is filtered by Firewall and traffic from that webserver to your DB too if you place the DB in another DMZ.
Rule of thumb is never give directly or indirectly access from outside to a LAN machine this is dangerous and every security minded IT'er would agree.
It maybe sounds paranoiac but one never can be cautious enough.
You can have a cheap reverse proxy with apache webserver by enabling reverse proxy mode.

0
 
LVL 1

Accepted Solution

by:
pfftdives earned 300 total points
ID: 10795364
While I agree with what bloemkool1980 said, I think what's really at issue is this: Is using the existing DB with a reverse-proxy-protected webserver "safe enough", or do you need the additional protections that a DMZ affords. It has a lot to do with the sensitivity of your data. Not knowing the value of the data or the threats you're worried about (I'm guessing you're not doing online visa processing if you're even considering using a LAN database server and just reverse proxying it :) I would just point out the following points:
a. Reverse proxies are not foolproof. They're just one additional layer, andu nless you do a lot of customization, they can still pass attacks through to the LAN side. Once they're in, they're in. It is a thinner layer than just putting a webserver in the DMZ.
b. A properly configured DMZ (no unecessary traffic allowed from the DMZ to the internal network unless absolutely postively necessary) will contain the threat, EVEN if your webserver is compromised.
c. A properly configured reverse proxy will not. If they get through it and own your webserver, they're in your LAN.

So lets say there's a new attack that you're not yet familiar with on your webserver.
Attacker owns webserver. If you reverse proxied, and they pass the attack through (it looks "safe" - remember, they can pass stuff that exploits applications/app server stuff that might look great to a reverse proxy) then they own your LAN and everything in it. You are literally toast. If they crack the webserver and its in your DMZ, ok, they owned the webserver- that's what DMZs are for, but you can rebuild the box and know you're clean, unlike when you allow them into the LAN with the thin shield of a reverse proxy.

basic defense in depth would have you use the DMZ unless the data and systems on your LAN can be considered throwaway.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Firewall connection 10 68
Trojan blocked 11 91
PCAnywhere 2 121
Content Filtering by Search Term with a Smoothwall Firewall 1 123
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question