Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4344
  • Last Modified:

DMZ vs Reverse Proxy

In the past, our company has had our web site hosted off site.  We are in the process of setting up a web server in house and doing our own hosting.  We are having an internal disagreement about the value of having a DMZ vs. using a reverse proxy.

One school of thought is to set up the web server and the database server inside a DMZ.  The other is to put the web server inside the LAN and protect it by using reverse proxy and to use the existing production DB server as the web DB server.

We will be running IIS, SQL Server, and use BorderManager as our firewall.

Any input will be greatly appreciated.

Thanks in advance,
HawkeyeNash
0
HawkeyeNash
Asked:
HawkeyeNash
1 Solution
 
bloemkool1980Commented:
Hi hawkeye
I suggest a combination of the 2. I would put a reverse proxy in a dmz. This DMZ I will call DMZ-Public.
DMZ-Public is the only DMZ that can be accessed directly from outside, well passing the firewall ofcourse.
Then I would place the Webserver another DMZ called DMZ-Webserver, and if you do not have enough network cards or whatever you could put the DB server in the same DMZ as your web server but if possible I would put in another DMZ or internal. Because you run IIS I highly recommend putting a reverse proxy and seperate the machine from your LAN.
WHy :
Well if you do my proposition your traffic is filtered inbound and outbound. Meaning that traffic from your reverse proxy to your webserver is filtered by Firewall and traffic from that webserver to your DB too if you place the DB in another DMZ.
Rule of thumb is never give directly or indirectly access from outside to a LAN machine this is dangerous and every security minded IT'er would agree.
It maybe sounds paranoiac but one never can be cautious enough.
You can have a cheap reverse proxy with apache webserver by enabling reverse proxy mode.

0
 
pfftdivesCommented:
While I agree with what bloemkool1980 said, I think what's really at issue is this: Is using the existing DB with a reverse-proxy-protected webserver "safe enough", or do you need the additional protections that a DMZ affords. It has a lot to do with the sensitivity of your data. Not knowing the value of the data or the threats you're worried about (I'm guessing you're not doing online visa processing if you're even considering using a LAN database server and just reverse proxying it :) I would just point out the following points:
a. Reverse proxies are not foolproof. They're just one additional layer, andu nless you do a lot of customization, they can still pass attacks through to the LAN side. Once they're in, they're in. It is a thinner layer than just putting a webserver in the DMZ.
b. A properly configured DMZ (no unecessary traffic allowed from the DMZ to the internal network unless absolutely postively necessary) will contain the threat, EVEN if your webserver is compromised.
c. A properly configured reverse proxy will not. If they get through it and own your webserver, they're in your LAN.

So lets say there's a new attack that you're not yet familiar with on your webserver.
Attacker owns webserver. If you reverse proxied, and they pass the attack through (it looks "safe" - remember, they can pass stuff that exploits applications/app server stuff that might look great to a reverse proxy) then they own your LAN and everything in it. You are literally toast. If they crack the webserver and its in your DMZ, ok, they owned the webserver- that's what DMZs are for, but you can rebuild the box and know you're clean, unlike when you allow them into the LAN with the thin shield of a reverse proxy.

basic defense in depth would have you use the DMZ unless the data and systems on your LAN can be considered throwaway.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now