• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1245
  • Last Modified:

Apache Redirection from DMZ to LAN

hello

i want to redirect some of the http connections coming from internet to our apache server located  in our DMZ to the app server - running under apache/php- located in our LAN. our firewall rules do not allow direct http connections from internet to our corporate LAN; I do not want to change these rules.

I found the below solution which seems to be responding to my expectations.

http://www.experts-exchange.com/Operating_Systems/Linux/Q_21270618.html

My query is;  would this solution cause security holes to the app server in LAN or even to the entire LAN  ??

Thank you

0
tgunduz
Asked:
tgunduz
2 Solutions
 
ahoffmannCommented:
> .. cause security holes to the app server in LAN ..
this server in LAN then is subject to all web application security threats the same way as it would be in the DMZ
you have to enshure that your web/application server and all their applications are hardend.
The only advantage you have is that the servers ar protected on network level.

> .. or even to the entire LAN
depends on your OS and applications on the server
If your applications are vulnerable to SQL and/or OS command injection, then your LAN could be compromised too.
0
 
macker-Commented:
Realistically, the DMZ is there for a reason; any servers that are facing the outside world are in a protected segment, where they cannot reach internal servers.  You're talking about bridging that gap, effectively punching a hole in a security wall.

Yes, you can do it, but take ahoffman's advice to heart.  If the internal LAN server is in any way vulnerable to HTTP-based attacks that are being forwarded, it can be leveraged against the rest of your LAN, depending on what the attack can achieve.  Generally speaking, it's best to leave such interaction to levels where the input is carefully controlled... e.g. querying an SQL database thru a specific account, such that the only data that could ever be compromised will not affect the rest of the operations on your LAN.
0
 
tgunduzAuthor Commented:
thank you guys !!
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now