Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Kline, Greg (gregory.s.klineGD-IS.COM)
Date: Fri Mar 23 2001 - 16:30:57 CST
Sounds to me like a proxy server should be your first web server. The
proxy server should run as a secure reverse proxy server, meaning that
it accepts SSL connections from the internet, and uses SSL to connect
through your firewall to the backend server. I've seen Netscape proxy
server used for this sort of thing. I believe that you can use some sort
of authentication on the external proxy server, to insure that only valid
connections are passed through the firewall.
Sent by: Focus on Microsoft Mailing List <FOCUS-MSSECURITYFOCUS.COM>
03/23/01 01:58 AM
Please respond to Focus on Microsoft Mailing List
Subject: Re: Two web servers scheme
OK. I'll try to explain what we exactly want to build. At first it is a
mission critical application with sensitive data. At the moment we use NT
boxes with ASP scripts to provide database content. Yes, we would like to
provide secure content to a backend system.
The first web server (could be an extremely hardened NT box with SSL
option) stays as the first frontier for web users. All hits come through
first firewall to this web server via HTTPS. The only job it must do is to
pass HTTP traffic to real web server with ASP scripts. The first Web
server has no any additional software pieces and it is quite difficult to
administrate it. But it is a cost of hardening. Second firewall with IDS
is placed in-between these two web servers. In that way we could analyze
HTTP flow to prevent intrusion. You are right saying that it may actually
introduce new vulnerabilities into the equation. But in such way we could
control HTTP content and nobody knows (I hope) what kind of real web
server I use and what kind of application it runs. It becomes quite
difficult to break in. Even if I successfully broke first firewall and
first web server I have nothing except an alarm and a lot of noise!
The second web server is a real company web (application) server. It hosts
ASP scripts, COM objects and it communicates with database server via
third firewall (or some other similar device). And etc etc etc.
I see another way. I could host my ASP scripts on the first web server,
but all COM objects should be moved to another NT box (n-tier
application). And once again I should spend a lot of time hardening these
OK. Let's go back to my question. How could I use IIS as the first web
I believe that there could be another way. Anyway I'd like to discuss
about existing scheme.
----- Original Message -----
From: "Ryan Permeh" <ryanEEYE.COM>
Sent: Thursday, March 22, 2001 10:07 AM
Subject: Re: Two web servers scheme
> what exactly is this scheme inteded to provide? secure content to a
> system? right now, i see that you have 5 systems to deal with(patch,
> monitor logs, protect from malicious stuff,etc). this is not
> going to buy you more security, just more administration(and likely
> integration headaches). if you are looking at a load balancing solution
> that multiplexes the https, you may want to consider usinga more
> n-tier scheme with a backend middleware compnent(s) and even further
> basically, your front end webserver should be tight. make certain you
> validate input there, before you pass the information to the midleware.
> depending on what you are using to deal with content delivery from the
> to the https to the user may actually introduce new vulnerabilities into
> simplify your designs and spend more time hardening them than making
> systems that are difficult to administrate, difficult to control, and
> nessecarily less difficult to mess with.
> Ryan Permeh
> eEye Digital Security Team
> http://www.eEye.com/Retina -Network Security Scanner
> http://www.eEye.com/Iris -Network Traffic Analyzer
> ----- Original Message -----
> From: "Kestas" <systemonlineALTAVISTA.COM>
> To: <FOCUS-MSSECURITYFOCUS.COM>
> Sent: Wednesday, March 21, 2001 12:12 AM
> Subject: Two web servers scheme
> > Hi,
> > I'm trying to build some kind of trusted NT web platform (like
> Virtual Vault :)) ). I want to separate front-end web server and real
> company web server.
> > The scheme could be:
> > Internet -> Firewall 1 -> Front End Web srv. With SSL (https only) ->
> Firewall 2 -> Real Web server (http) ->Firewall 3 ->
> > Web users could access only first (front end) web server via https.
> requests will be passed to the web server where application and scripts
> stored (through firewall (including IDS)). Of course, both servers are
> on bastion hosts with minimal set of permissions and etc.
> > My question. Have anybody any suggestions regarding front-end web
> MS IIS? Apache? Maybe it would be good to have different OS and servers
> both web servers? It makes difficult to detect the real application
> platform. The first web server should be quite "stupid". It should be
> hardened https server with ability to pass traffic to next server.
> > Thanks.
> > Kestas
> > systemonlinealtavista.com
> > Find the best deals on the web at AltaVista Shopping!
> > http://www.shopping.altavista.com
Find the best deals on the web at AltaVista Shopping!