Solved

DMZ vs Reverse Proxy

Posted on 2004-03-25
2
3,908 Views
Last Modified: 2012-05-04
In the past, our company has had our web site hosted off site.  We are in the process of setting up a web server in house and doing our own hosting.  We are having an internal disagreement about the value of having a DMZ vs. using a reverse proxy.

One school of thought is to set up the web server and the database server inside a DMZ.  The other is to put the web server inside the LAN and protect it by using reverse proxy and to use the existing production DB server as the web DB server.

We will be running IIS, SQL Server, and use BorderManager as our firewall.

Any input will be greatly appreciated.

Thanks in advance,
HawkeyeNash
0
Comment
Question by:HawkeyeNash
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10686258
Hi hawkeye
I suggest a combination of the 2. I would put a reverse proxy in a dmz. This DMZ I will call DMZ-Public.
DMZ-Public is the only DMZ that can be accessed directly from outside, well passing the firewall ofcourse.
Then I would place the Webserver another DMZ called DMZ-Webserver, and if you do not have enough network cards or whatever you could put the DB server in the same DMZ as your web server but if possible I would put in another DMZ or internal. Because you run IIS I highly recommend putting a reverse proxy and seperate the machine from your LAN.
WHy :
Well if you do my proposition your traffic is filtered inbound and outbound. Meaning that traffic from your reverse proxy to your webserver is filtered by Firewall and traffic from that webserver to your DB too if you place the DB in another DMZ.
Rule of thumb is never give directly or indirectly access from outside to a LAN machine this is dangerous and every security minded IT'er would agree.
It maybe sounds paranoiac but one never can be cautious enough.
You can have a cheap reverse proxy with apache webserver by enabling reverse proxy mode.

0
 
LVL 1

Accepted Solution

by:
pfftdives earned 300 total points
ID: 10795364
While I agree with what bloemkool1980 said, I think what's really at issue is this: Is using the existing DB with a reverse-proxy-protected webserver "safe enough", or do you need the additional protections that a DMZ affords. It has a lot to do with the sensitivity of your data. Not knowing the value of the data or the threats you're worried about (I'm guessing you're not doing online visa processing if you're even considering using a LAN database server and just reverse proxying it :) I would just point out the following points:
a. Reverse proxies are not foolproof. They're just one additional layer, andu nless you do a lot of customization, they can still pass attacks through to the LAN side. Once they're in, they're in. It is a thinner layer than just putting a webserver in the DMZ.
b. A properly configured DMZ (no unecessary traffic allowed from the DMZ to the internal network unless absolutely postively necessary) will contain the threat, EVEN if your webserver is compromised.
c. A properly configured reverse proxy will not. If they get through it and own your webserver, they're in your LAN.

So lets say there's a new attack that you're not yet familiar with on your webserver.
Attacker owns webserver. If you reverse proxied, and they pass the attack through (it looks "safe" - remember, they can pass stuff that exploits applications/app server stuff that might look great to a reverse proxy) then they own your LAN and everything in it. You are literally toast. If they crack the webserver and its in your DMZ, ok, they owned the webserver- that's what DMZs are for, but you can rebuild the box and know you're clean, unlike when you allow them into the LAN with the thin shield of a reverse proxy.

basic defense in depth would have you use the DMZ unless the data and systems on your LAN can be considered throwaway.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question