Sounds to me like a proxy server should be your first web server. The
proxy server should run as a secure reverse proxy server, meaning that
it accepts SSL connections from the internet, and uses SSL to connect
through your firewall to the backend server. I've seen Netscape proxy
server used for this sort of thing. I believe that you can use some sort
of authentication on the external proxy server, to insure that only valid
connections are passed through the firewall.

Kestas <systemonlineALTAVISTA.COM>
Sent by: Focus on Microsoft Mailing List <FOCUS-MSSECURITYFOCUS.COM>
03/23/01 01:58 AM
Please respond to Focus on Microsoft Mailing List

 
        To: FOCUS-MSSECURITYFOCUS.COM
        cc:
        Subject: Re: Two web servers scheme

Ryan,

OK. I'll try to explain what we exactly want to build. At first it is a
mission critical application with sensitive data. At the moment we use NT
boxes with ASP scripts to provide database content. Yes, we would like to
provide secure content to a backend system.

The first web server (could be an extremely hardened NT box with SSL
option) stays as the first frontier for web users. All hits come through
first firewall to this web server via HTTPS. The only job it must do is to
pass HTTP traffic to real web server with ASP scripts. The first Web
server has no any additional software pieces and it is quite difficult to
administrate it. But it is a cost of hardening. Second firewall with IDS
is placed in-between these two web servers. In that way we could analyze
HTTP flow to prevent intrusion. You are right saying that it may actually
introduce new vulnerabilities into the equation. But in such way we could
control HTTP content and nobody knows (I hope) what kind of real web
server I use and what kind of application it runs. It becomes quite
difficult to break in. Even if I successfully broke first firewall and
first web server I have nothing except an alarm and a lot of noise!
The second web server is a real company web (application) server. It hosts
ASP scripts, COM objects and it communicates with database server via
third firewall (or some other similar device). And etc etc etc.

I see another way. I could host my ASP scripts on the first web server,
but all COM objects should be moved to another NT box (n-tier
application). And once again I should spend a lot of time hardening these
boxes.

OK. Let's go back to my question. How could I use IIS as the first web
server?
I believe that there could be another way. Anyway I'd like to discuss
about existing scheme.

Thanks

Kestas
systemonlinealtavista.com

----- Original Message -----
From: "Ryan Permeh" <ryanEEYE.COM>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Thursday, March 22, 2001 10:07 AM
Subject: Re: Two web servers scheme

> what exactly is this scheme inteded to provide? secure content to a
backend
> system? right now, i see that you have 5 systems to deal with(patch,
> monitor logs, protect from malicious stuff,etc). this is not
nessecarily
> going to buy you more security, just more administration(and likely
> integration headaches). if you are looking at a load balancing solution
> that multiplexes the https, you may want to consider usinga more
traditional
> n-tier scheme with a backend middleware compnent(s) and even further
backend
> database/storage...
>
> basically, your front end webserver should be tight. make certain you
> validate input there, before you pass the information to the midleware.
> depending on what you are using to deal with content delivery from the
http
> to the https to the user may actually introduce new vulnerabilities into
the
> equation.
>
> simplify your designs and spend more time hardening them than making
complex
> systems that are difficult to administrate, difficult to control, and
not
> nessecarily less difficult to mess with.
> Signed,
> Ryan Permeh
> eEye Digital Security Team
> http://www.eEye.com/Retina -Network Security Scanner
> http://www.eEye.com/Iris -Network Traffic Analyzer
>
> ----- Original Message -----
> From: "Kestas" <systemonlineALTAVISTA.COM>
> To: <FOCUS-MSSECURITYFOCUS.COM>
> Sent: Wednesday, March 21, 2001 12:12 AM
> Subject: Two web servers scheme
>
>
> > Hi,
> >
> > I'm trying to build some kind of trusted NT web platform (like
handmade HP
> Virtual Vault :)) ). I want to separate front-end web server and real
> company web server.
> >
> > The scheme could be:
> >
> > Internet -> Firewall 1 -> Front End Web srv. With SSL (https only) ->
> Firewall 2 -> Real Web server (http) ->Firewall 3 ->
> >
> > Web users could access only first (front end) web server via https.
Then
> requests will be passed to the web server where application and scripts
are
> stored (through firewall (including IDS)). Of course, both servers are
built
> on bastion hosts with minimal set of permissions and etc.
> >
> > My question. Have anybody any suggestions regarding front-end web
server?
> MS IIS? Apache? Maybe it would be good to have different OS and servers
on
> both web servers? It makes difficult to detect the real application
> platform. The first web server should be quite "stupid". It should be
only
> hardened https server with ability to pass traffic to next server.
> >
> > Thanks.
> >
> > Kestas
> > systemonlinealtavista.com
> >
> >
> > Find the best deals on the web at AltaVista Shopping!
> > http://www.shopping.altavista.com
> >

Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]