1

I'm trying to get the best picture for my infraestructure. I came across a business case where my app server (far beyond DMZ and protected by 3 levels of firewalls) needs to talk with other (external and public) server.

I can open the firewalls in order to allow the communication with just the URL I wanted, but I don't think this is a good practice.

Looking for a clever solution I've found a pattern where the app server ask for the resource to a server located in the DMZ, this avoid the "direct" internet connection for my server. The server in the DMZ will start the conversation and forward the data to the app server. This seem to be safer, but it's very weird and, to my taste, error prone.

Is there a good solution for this? Is it just enought to open the firewall only output traffic to a specific server?

Thank you all in advance.

SuperPiski
  • 11
  • 1

1 Answers1

1

The DMZ server in your example could be a simple proxy server.

If you use a well known / open source proxy server, this will obscure a lot of information about your internal server and prevent some classes of attack in the event the internet service is compromised.

You can also use it for secure logging - particularly useful in the event of an incident on either side of the connection

Colin Pickard
  • 1,800
  • 2
  • 11
  • 14
  • Thanks for your answer. I'm already using apache as a gateway (reverse proxy) to my app server, I'll try to do the same in the oposite direction, anyway I have my doubt about if it can handle 2-way-SSL connections (the app server is the one that has the certificate when acting as client) – SuperPiski Nov 02 '16 at 17:21