Ryan,

OK. I’ll try to explain what we exactly want to build. At first it is a mission critical application with sensitive data. At the moment we use NT boxes with ASP scripts to provide database content. Yes, we would like to provide secure content to a backend system.

The first web server (could be an extremely hardened NT box with SSL option) stays as the first frontier for web users. All hits come through first firewall to this web server via HTTPS. The only job it must do is to pass HTTP traffic to real web server with ASP scripts. The first Web server has no any additional software pieces and it is quite difficult to administrate it. But it is a cost of hardening. Second firewall with IDS is placed in-between these two web servers. In that way we could analyze HTTP flow to prevent intrusion. You are right saying that it may actually introduce new vulnerabilities into the equation. But in such way we could control HTTP content and nobody knows (I hope) what kind of real web server I use and what kind of application it runs. It becomes quite difficult to break in. Even if I successfully broke first firewall and first web server I have nothing except an alarm and a lot of noise!
The second web server is a real company web (application) server. It hosts ASP scripts, COM objects and it communicates with database server via third firewall (or some other similar device). And etc etc etc.

I see another way. I could host my ASP scripts on the first web server, but all COM objects should be moved to another NT box (n-tier application). And once again I should spend a lot of time hardening these boxes.

OK. Let’s go back to my question. How could I use IIS as the first web server?
I believe that there could be another way. Anyway I’d like to discuss about existing scheme.

Thanks

Kestas
systemonlinealtavista.com

----- Original Message -----
From: "Ryan Permeh" <ryanEEYE.COM>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Thursday, March 22, 2001 10:07 AM
Subject: Re: Two web servers scheme

> what exactly is this scheme inteded to provide? secure content to a backend
> system? right now, i see that you have 5 systems to deal with(patch,
> monitor logs, protect from malicious stuff,etc). this is not nessecarily
> going to buy you more security, just more administration(and likely
> integration headaches). if you are looking at a load balancing solution
> that multiplexes the https, you may want to consider usinga more traditional
> n-tier scheme with a backend middleware compnent(s) and even further backend
> database/storage...
>
> basically, your front end webserver should be tight. make certain you
> validate input there, before you pass the information to the midleware.
> depending on what you are using to deal with content delivery from the http
> to the https to the user may actually introduce new vulnerabilities into the
> equation.
>
> simplify your designs and spend more time hardening them than making complex
> systems that are difficult to administrate, difficult to control, and not
> nessecarily less difficult to mess with.
> Signed,
> Ryan Permeh
> eEye Digital Security Team
> http://www.eEye.com/Retina -Network Security Scanner
> http://www.eEye.com/Iris -Network Traffic Analyzer
>
> ----- Original Message -----
> From: "Kestas" <systemonlineALTAVISTA.COM>
> To: <FOCUS-MSSECURITYFOCUS.COM>
> Sent: Wednesday, March 21, 2001 12:12 AM
> Subject: Two web servers scheme
>
>
> > Hi,
> >
> > I'm trying to build some kind of trusted NT web platform (like handmade HP
> Virtual Vault :)) ). I want to separate front-end web server and real
> company web server.
> >
> > The scheme could be:
> >
> > Internet -> Firewall 1 -> Front End Web srv. With SSL (https only) ->
> Firewall 2 -> Real Web server (http) ->Firewall 3 ->
> >
> > Web users could access only first (front end) web server via https. Then
> requests will be passed to the web server where application and scripts are
> stored (through firewall (including IDS)). Of course, both servers are built
> on bastion hosts with minimal set of permissions and etc.
> >
> > My question. Have anybody any suggestions regarding front-end web server?
> MS IIS? Apache? Maybe it would be good to have different OS and servers on
> both web servers? It makes difficult to detect the real application
> platform. The first web server should be quite "stupid". It should be only
> hardened https server with ability to pass traffic to next server.
> >
> > Thanks.
> >
> > Kestas
> > systemonlinealtavista.com
> >
> >
> > Find the best deals on the web at AltaVista Shopping!
> > http://www.shopping.altavista.com
> >

Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]