Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

DMZ vs Reverse Proxy

Posted on 2004-03-25
2
Medium Priority
?
4,182 Views
Last Modified: 2012-05-04
In the past, our company has had our web site hosted off site.  We are in the process of setting up a web server in house and doing our own hosting.  We are having an internal disagreement about the value of having a DMZ vs. using a reverse proxy.

One school of thought is to set up the web server and the database server inside a DMZ.  The other is to put the web server inside the LAN and protect it by using reverse proxy and to use the existing production DB server as the web DB server.

We will be running IIS, SQL Server, and use BorderManager as our firewall.

Any input will be greatly appreciated.

Thanks in advance,
HawkeyeNash
0
Comment
Question by:HawkeyeNash
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10686258
Hi hawkeye
I suggest a combination of the 2. I would put a reverse proxy in a dmz. This DMZ I will call DMZ-Public.
DMZ-Public is the only DMZ that can be accessed directly from outside, well passing the firewall ofcourse.
Then I would place the Webserver another DMZ called DMZ-Webserver, and if you do not have enough network cards or whatever you could put the DB server in the same DMZ as your web server but if possible I would put in another DMZ or internal. Because you run IIS I highly recommend putting a reverse proxy and seperate the machine from your LAN.
WHy :
Well if you do my proposition your traffic is filtered inbound and outbound. Meaning that traffic from your reverse proxy to your webserver is filtered by Firewall and traffic from that webserver to your DB too if you place the DB in another DMZ.
Rule of thumb is never give directly or indirectly access from outside to a LAN machine this is dangerous and every security minded IT'er would agree.
It maybe sounds paranoiac but one never can be cautious enough.
You can have a cheap reverse proxy with apache webserver by enabling reverse proxy mode.

0
 
LVL 1

Accepted Solution

by:
pfftdives earned 1200 total points
ID: 10795364
While I agree with what bloemkool1980 said, I think what's really at issue is this: Is using the existing DB with a reverse-proxy-protected webserver "safe enough", or do you need the additional protections that a DMZ affords. It has a lot to do with the sensitivity of your data. Not knowing the value of the data or the threats you're worried about (I'm guessing you're not doing online visa processing if you're even considering using a LAN database server and just reverse proxying it :) I would just point out the following points:
a. Reverse proxies are not foolproof. They're just one additional layer, andu nless you do a lot of customization, they can still pass attacks through to the LAN side. Once they're in, they're in. It is a thinner layer than just putting a webserver in the DMZ.
b. A properly configured DMZ (no unecessary traffic allowed from the DMZ to the internal network unless absolutely postively necessary) will contain the threat, EVEN if your webserver is compromised.
c. A properly configured reverse proxy will not. If they get through it and own your webserver, they're in your LAN.

So lets say there's a new attack that you're not yet familiar with on your webserver.
Attacker owns webserver. If you reverse proxied, and they pass the attack through (it looks "safe" - remember, they can pass stuff that exploits applications/app server stuff that might look great to a reverse proxy) then they own your LAN and everything in it. You are literally toast. If they crack the webserver and its in your DMZ, ok, they owned the webserver- that's what DMZs are for, but you can rebuild the box and know you're clean, unlike when you allow them into the LAN with the thin shield of a reverse proxy.

basic defense in depth would have you use the DMZ unless the data and systems on your LAN can be considered throwaway.
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question