Solved

DMZ vs Reverse Proxy

Posted on 2004-03-25
6
1,090 Views
Last Modified: 2013-12-25
In the past, our company has had our web site hosted off site.  We are in the process of setting up a web server in house and doing our own hosting.  We are having an internal disagreement about the value of having a DMZ vs. using a reverse proxy.

One school of thought is to set up the web server and the database server inside a DMZ.  The other is to put the web server inside the LAN and protect it by using reverse proxy and to use the existing production DB server as the web DB server.

We will be running IIS, SQL Server, and use BorderManager as our firewall.

Any input will be greatly appreciated.

Thanks in advance,
HawkeyeNash
0
Comment
Question by:HawkeyeNash
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 17

Expert Comment

by:Tacobell777
ID: 10683757
Go DMZ, use it for what it is made for.

Reverse proxy will most likely slow things down as well.

0
 
LVL 15

Expert Comment

by:periwinkle
ID: 10691011
I agree fullheartedly with Tacobell - why expose your production databases that AREN'T going to be used on the web to the potential of being hacked?  I'd keep internal production databases entirely separate from the web databases.
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 10691061
To elaborate, the primary rules in security that apply here are:

* The Most secure data is the data that nobody knows you have

* Allowing limited access to a resource gives the possibility of someone finding (or creating) a vulnerability that gives them greater access

* Only expose those items that you want to be found out about.

Using these rules, you keep all things that you want the outside world to find out about OUTSIDE of your internal network (I.e. in the DMV), and you keep the information that you want to keep secure entirely separate, in an area that the outside world has zero access to.
0
Schedule a Tour of the ATEN booth at InfoComm 2017

Tour the ATEN booth to see the the Latest Addition to the Modular Matrix Switch Series, New 4K HDMI Over IP Extender and more! Enter ATEN's Ultimate Giveaway Sweepstakes for a chance to win one of several great prizes, including an ATEN US7220 2-Port Thunderbolt 2 Sharing Switch!

 

Author Comment

by:HawkeyeNash
ID: 10691162
Thanks for the input.

I do understand the philosphy of the DMZ.

I guess the real issue is that one camp beleives that the Reverse Proxy offers all of the protection that a DMZ offers and states that there is no need to set up a DMZ because we are just a protected by the reverse proxy.

I need laid out in concrete terms what a DMZ offers that the reverse proxy does not.  Why am I safer with a DMZ then with reverse proxy alone?



0
 
LVL 15

Accepted Solution

by:
periwinkle earned 100 total points
ID: 10691541
Here's one reason:

http://archives.neohapsis.com/archives/firewalls/2001-q1/1335.html

Apparently, Microsoft doesn't support SSL connections between the server and the reverse proxy - so that means that the information travels as plain text.

Another good article on DMZ:

http://www.giac.org/practical/gsec/Scott_Young_GSEC.pdf

... the part on Page 5 that is entitled "Why do I want a DMZ" is particularly good - some quotes:

"If you don't have a DMZ and your initial frontline perimeter is broken then the game is up. (...) A DMZ hides your important information an extra step away from an attacker."

Here's another interesting article on setting up your security policy:

Designing and Planning Windows NT External Security
By Tom Dodds, Eric Miyadi, and Tom Fuchs, Microsoft Consulting Services, Southern California
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/ntextsec.mspx

While this is angled towards Windows NT, it looks like it would be good advise for any flavor of Windows, really.

Intriguingly, it argues that a reverse proxy could make sense for the scenario that you describe, particularly if data being out of synch is of concern.  It's a balancing act.

No one will argue that it's more secure to keep things accessed from the outside from your internal network.  However, if it is extremely important that your data needs to be up to the minute accurate (i.e. very 'fresh'), then a reverse proxy will make sense...

I guess part of what needs to be answered is:

(1) How much interaction between the internal databases and external databases is needed?  I.e. does the data that is used by the web site come from a database that is kept to date on the inside or that needs to be 'up to the minute' fresh?

(2) How static is the data? If the data doesn't change often, then it makes a lot of sense to put it in the DMZ to keep it separate from your internal systems and to reduce one more potential security risk.

(3) If you are writing to the database, is the information something that could be imported into your internal network on a periodic basis, or does it need to be constantly updated?  If you can import the data on a daily basis into your internal network, then you have shorter periods of vulnerability... i.e. the connection to the internal and the external can be made available for a shorter amount of time.
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 10691630
I'm glad to have helped.  There's a wealth of information at Microsoft.com - go to:

http://search.microsoft.com 

and use the terms:

DMZ reverse proxy

... you'll get a lot of great resources at your fingertips.

You may also find the topics at the Microsoft Security Guidance Center: Server Security Index useful:

http://www.microsoft.com/security/guidance/topics/ServerSecurity.mspx
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question