Home page logo
/

basics logo Security Basics mailing list archives

External facing web servers on the inside network.
From: roberticoles () gmail com
Date: Mon, 11 Oct 2010 11:57:21 -0600

where I work, the IT architects have proposed that external facing web servers be placed on our inside network vs. the 
dmz.  reason: ease of administration.
background:
they have placed a reverse proxy server (apache with mod_proxy...and not mod_security) in the dmz.  we, the security 
team, have also placed a web application firewall in the dmz that is only monitoring traffic into and out of the dmz.  
not in remediation mode yet.
so...now the IT architects think that because we have a reverse proxy and WAF, all external facing web servers can be 
moved to the inside of our network.
I'm fighting this, but not getting much support.
wouldn't you still want the web server to reside in a dmz?  I mean what if the exploit was against apache or iis and 
the WAF didn't detect/remediate.  or what if the web server admin knowingly or unknowingly configured the web server to 
allow remote admin access, amongst other things.  I'd certainly prefer that the compromised server be isolated from the 
inside.  our inside network is flat.  no isolation between servers, workstations and printers.
give me your thoughts on this.  please!

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault