Home page logo
/

basics logo Security Basics mailing list archives

Re: External facing web servers on the inside network.
From: danuxx () gmail com
Date: Wed, 13 Oct 2010 18:43:19 +0000

You basically mentioned good reasons to keep web servers in the dmz but now you need to justify it.

Does the company is under a regulatory compliance like PCI, SOX, HIPPA, Iso 27001? What about the internal security 
policies?

Any time when you tell the company about potential fines and other money-related impacts they will listen to security.
Sent via BlackBerry from Danux Network

-----Original Message-----
From: roberticoles () gmail com
Sender: listbounce () securityfocus com
Date: Mon, 11 Oct 2010 11:57:21 
To: <security-basics () securityfocus com>
Subject: External facing web servers on the inside network.

where I work, the IT architects have proposed that external facing web servers be placed on our inside network vs. the 
dmz.  reason: ease of administration.
background:
they have placed a reverse proxy server (apache with mod_proxy...and not mod_security) in the dmz.  we, the security 
team, have also placed a web application firewall in the dmz that is only monitoring traffic into and out of the dmz.  
not in remediation mode yet.
so...now the IT architects think that because we have a reverse proxy and WAF, all external facing web servers can be 
moved to the inside of our network.
I'm fighting this, but not getting much support.
wouldn't you still want the web server to reside in a dmz?  I mean what if the exploit was against apache or iis and 
the WAF didn't detect/remediate.  or what if the web server admin knowingly or unknowingly configured the web server to 
allow remote admin access, amongst other things.  I'd certainly prefer that the compromised server be isolated from the 
inside.  our inside network is flat.  no isolation between servers, workstations and printers.
give me your thoughts on this.  please!

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault