Solved

DMZ vs Reverse Proxy

Posted on 2004-03-25
2
3,385 Views
Last Modified: 2012-05-04
In the past, our company has had our web site hosted off site.  We are in the process of setting up a web server in house and doing our own hosting.  We are having an internal disagreement about the value of having a DMZ vs. using a reverse proxy.

One school of thought is to set up the web server and the database server inside a DMZ.  The other is to put the web server inside the LAN and protect it by using reverse proxy and to use the existing production DB server as the web DB server.

We will be running IIS, SQL Server, and use BorderManager as our firewall.

Any input will be greatly appreciated.

Thanks in advance,
HawkeyeNash
0
Comment
Question by:HawkeyeNash
2 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10686258
Hi hawkeye
I suggest a combination of the 2. I would put a reverse proxy in a dmz. This DMZ I will call DMZ-Public.
DMZ-Public is the only DMZ that can be accessed directly from outside, well passing the firewall ofcourse.
Then I would place the Webserver another DMZ called DMZ-Webserver, and if you do not have enough network cards or whatever you could put the DB server in the same DMZ as your web server but if possible I would put in another DMZ or internal. Because you run IIS I highly recommend putting a reverse proxy and seperate the machine from your LAN.
WHy :
Well if you do my proposition your traffic is filtered inbound and outbound. Meaning that traffic from your reverse proxy to your webserver is filtered by Firewall and traffic from that webserver to your DB too if you place the DB in another DMZ.
Rule of thumb is never give directly or indirectly access from outside to a LAN machine this is dangerous and every security minded IT'er would agree.
It maybe sounds paranoiac but one never can be cautious enough.
You can have a cheap reverse proxy with apache webserver by enabling reverse proxy mode.

0
 
LVL 1

Accepted Solution

by:
pfftdives earned 300 total points
ID: 10795364
While I agree with what bloemkool1980 said, I think what's really at issue is this: Is using the existing DB with a reverse-proxy-protected webserver "safe enough", or do you need the additional protections that a DMZ affords. It has a lot to do with the sensitivity of your data. Not knowing the value of the data or the threats you're worried about (I'm guessing you're not doing online visa processing if you're even considering using a LAN database server and just reverse proxying it :) I would just point out the following points:
a. Reverse proxies are not foolproof. They're just one additional layer, andu nless you do a lot of customization, they can still pass attacks through to the LAN side. Once they're in, they're in. It is a thinner layer than just putting a webserver in the DMZ.
b. A properly configured DMZ (no unecessary traffic allowed from the DMZ to the internal network unless absolutely postively necessary) will contain the threat, EVEN if your webserver is compromised.
c. A properly configured reverse proxy will not. If they get through it and own your webserver, they're in your LAN.

So lets say there's a new attack that you're not yet familiar with on your webserver.
Attacker owns webserver. If you reverse proxied, and they pass the attack through (it looks "safe" - remember, they can pass stuff that exploits applications/app server stuff that might look great to a reverse proxy) then they own your LAN and everything in it. You are literally toast. If they crack the webserver and its in your DMZ, ok, they owned the webserver- that's what DMZs are for, but you can rebuild the box and know you're clean, unlike when you allow them into the LAN with the thin shield of a reverse proxy.

basic defense in depth would have you use the DMZ unless the data and systems on your LAN can be considered throwaway.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now