Firewall authentication webserver placement

Posted on 2006-03-25
Medium Priority
Last Modified: 2013-11-16
My company has developed an web app that runs on tomcat using MS SQLserver as a data source (both webserver and database currently on same box which we will soon split).  Until now the web app has only been available and exposed to lan users.  My question is how best to serve this app to remote users.  We do not want to use VPN as not all users will be employees and we cannot control VPN client software.  Further the webserver has a SSL certificate but again we do not want to allow a tunnel through the firewall that cannot be inspected.  Where should the webserver be placed so that if it is compromised it cannot access private data from our database, given that it must have access to the database for the web app to function? Is their some applicance that can authinicate users based on username and password and then allow or deny SSL connection based on that information? We have limited on staff IT mostly programmers/developers and modest budget to impliment this solution.  Thanks for all responses.
Question by:carlpenton
1 Comment
LVL 32

Accepted Solution

rsivanandan earned 1500 total points
ID: 16289224

                              DMZ (WebServer)

SSL is about the confidentiality of the data. So if you want it or not depends on what you run on it. Thinking of kind of traffic that goes onto the WebServer, for the known attacks, it doesn't matter whether it is an attack or not. So think about it, even if you allow unencrypted traffic, firewalls' can't prevent the content based attack on most of the parts. Say if somebody plants some kind of virus/trojans or anything in there, it doesn't matter for the firewall whether it is encrypted or unencrypted because it just *can't* understand it. It can prevent most of the invalid packets. Say a Denial of Service can be done and Firewall can stop that because it can understand it.

So then again, try implementing the above scenario with firewall and for content attack, try implementing a Intrusion detection System between the firewall and WebServer. SNORT can serve well and it is free. It can do most of the content attacks.

This is only a start. You can start thinking in these lines.


Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question