Web Application Security

Hi there,

I'm looking for some insight on the best security design for several externally accessible web applications. We have several public IP addresses available and can simply do a 1:1 NAT for each web server, put it in a DMZ, or both. Each web server has an internal SQL database to complicate things. From a best security perspective i'm not sure if a 1:1 NAT will work fine or if i should use a DMZ. I would still like to allocate 1 public IP address per web server.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The advantage of NAT is that you can scale, or provide fail-over, to several servers - with some simple server load balancing that most firewalls can do.

Depending on the Web Application, you may want to do a lot more than NAT.

Have a look at Junos WebApp Secure, and other products, like FortiWeb.
btanExec ConsultantCommented:
NAT is just a "cover" but if web will to embed HTTP header such as XFF, even the real address will be revealed. Hence being in the DMZ is good practice at least the tier scheme separating the DB tier is minimally enforced with FW rules (or minimal VLAN-ing). Sometimes, Web and App Tier tends to be in the same box like Apache/Tomcat for simplicity and still the DB is way behind the DMZ. Web Proxy  such as ForeFront (previously ISA) or Squid is common and URL filtering etc in the application FW such as NGFW or Web application FW fronts the web/app tier. There is no change to the DMZ placement still.

The proxy typically does the NAT (outbound and inbound, with port forwarding or load balanced among the Web servers/instances). Hence, I do encourage you check out application delivery controller (still behind your perimeter FW) e.g. F5 Networks, Citrix, Cisco (easily google using the term) etc fronting the web/app tier that can do the web aware checks (no leakage unnecessarily) and load balance for optimal performance. Some even do SSL termination which FW will be blinded.

Really in totality, OWASP is one must reference if you planning for the web appl development and for public access. Security controls need to be addressed at the very beginning  in codes till the testing stage before it start the "exposure". They have guidelines and practice cheatsheets (easily googled too) at their main site. The tools for testing is also quite comprehensive (sorry I digress)
Shalom CarmelCTOCommented:
DMZ is the better solution in terms of security.

The best practice is to place a reverse proxy in the DMZ and place the web server behind it. The web server will be either on the DMZ or on the regular network depending on the amount of interaction it has with other internal resources.

Web application attacks divide roughly into 2 parts: application logic and web server.

The application logic attacks (think XSS and SQL injection) are directed at your code and this setup will block them if the reverse proxy is a WAF of sorts.

The web server attacks are directed at the Apache/IIS/Java etc infrastructure, and a successful attack can render the server under the attackers control. Having a reverse proxy as a bastion host mitigates this risk by keeping the attacker out of your network and buying you time to fix the situation.
btanExec ConsultantCommented:
NIST has a paper and checklist that can come in handy (section 8 is about "Implementing a Secure Network Infrastructure") - Guidelines on Securing Public Web Servers

There various DMZ configurations that is useful read. e.g. Simple Single-Firewall DMZ, Two-Firewall DMZ and Service Leg DMZ


The advantages of a DMZ from a security standpoint are as follows:
-The Web server may be better protected, and network traffic to and from the Web server can be monitored.
-Compromise of the Web server does not directly threaten the internal production network.
-Greater control can be provided over the security of the Web server because traffic to and from the Web server can be controlled.
-The DMZ network configuration can be optimized to support and protect the Web servers.

The disadvantages of a DMZ from a security standpoint are as follows:
-DoS attacks aimed at the Web server may have an effect on the internal network.
-Depending on the firewall configuration controlling traffic between the DMZ and internal network, it may be possible for the Web server to be used to attack or compromise hosts on the internal network. In other words, protection offered by the DMZ depends in large part on the firewall configuration.
For organizations that support their own Web server, a DMZ is almost invariably the best option. It offers protection for the Web server and other externally accessible servers without exposing the internal network. However, it should only be considered secure when employed in conjunction with the other steps discussed in this document.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GrayconAuthor Commented:
Thanks for the great feedback guys. Looks like a properly setup DMZ will do the job for me.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.