Firewall authentication webserver placement

Posted on 2006-03-25
Last Modified: 2013-11-16
My company has developed an web app that runs on tomcat using MS SQLserver as a data source (both webserver and database currently on same box which we will soon split).  Until now the web app has only been available and exposed to lan users.  My question is how best to serve this app to remote users.  We do not want to use VPN as not all users will be employees and we cannot control VPN client software.  Further the webserver has a SSL certificate but again we do not want to allow a tunnel through the firewall that cannot be inspected.  Where should the webserver be placed so that if it is compromised it cannot access private data from our database, given that it must have access to the database for the web app to function? Is their some applicance that can authinicate users based on username and password and then allow or deny SSL connection based on that information? We have limited on staff IT mostly programmers/developers and modest budget to impliment this solution.  Thanks for all responses.
Question by:carlpenton
    1 Comment
    LVL 32

    Accepted Solution

    DMZ ?

                                  DMZ (WebServer)

    SSL is about the confidentiality of the data. So if you want it or not depends on what you run on it. Thinking of kind of traffic that goes onto the WebServer, for the known attacks, it doesn't matter whether it is an attack or not. So think about it, even if you allow unencrypted traffic, firewalls' can't prevent the content based attack on most of the parts. Say if somebody plants some kind of virus/trojans or anything in there, it doesn't matter for the firewall whether it is encrypted or unencrypted because it just *can't* understand it. It can prevent most of the invalid packets. Say a Denial of Service can be done and Firewall can stop that because it can understand it.

    So then again, try implementing the above scenario with firewall and for content attack, try implementing a Intrusion detection System between the firewall and WebServer. SNORT can serve well and it is free. It can do most of the content attacks.

    This is only a start. You can start thinking in these lines.


    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now