1

The system I am working on primarily use Google App Engine for my main web app and Amazon Cloudfront/S3 for hosting static data.

Now as an audit exercise this question is out to me:

Are the internet facing components of the service hosted in a separate network zone (DMZ) protected by firewalls?

I am not sure what is the best way to answer this question because Google and Amazon may or may not have deployed a DMZ.

My questions:

  1. Where can I find out the DMZ information form the vendors to answer this question?

  2. Is it applicable for me to answer this kind of questions? I don't think as a platform user I am able to answer questions regarding the network partition/topology on behalf of these organisations. If not, how would you formulate an answer?

Anders
  • 64,406
  • 24
  • 178
  • 215
Anthony Kong
  • 209
  • 2
  • 7
  • This may be better suited to [ServerFault](https://serverfault.com/) – Jedi May 01 '17 at 03:26
  • 4
    I think the real question is: does this audit question apply to my infrastructure? It doesn't. The question assumes that you host the service yourself. Do you need a DMZ if using your setup? No. The fact that you are using GAE means you have a de facto DMZ. – schroeder May 01 '17 at 11:38
  • 1
    If an auditor posed this question to me (knowing what you provided), I'd answer "not applicable". It's the auditor's job to then come back with relevant questions that address the way your infrastructure works. – schroeder May 01 '17 at 11:40
  • @schroeder Great comments! It introduces clarity into how I should respond to the questions – Anthony Kong May 01 '17 at 11:50

1 Answers1

1

Within AWS, you can create a VPC allowing you to define your own virtual network.

You can partition this into subnets. As an example, you could have web servers in a public subnet (effectively a DMZ network) and your internal servers (say databases) in a private subnet. You can use NAT to initiate outgoing connections from the private subnet to the Internet (say, for patching).

AWS provides security groups that are analogous to IP/port based firewall rules.

GCP provides similar abstractions for virtual networks, subnets and firewalls.

Jedi
  • 3,906
  • 2
  • 24
  • 42
  • 1
    In AWS I am already using VPC and Security Group. Maybe I can argue it is effectively a DMZ. However Google App Engine does not offer the same set of networking features in GCP. I presume Google must have put some DMZ in place. It is something I want to find out and report to auditors – Anthony Kong May 01 '17 at 03:35
  • Aah, yes. I was addressing the question in your heading, about the ability to create DMZs. For a GAE app I would agree with the comments above-- the audit does not apply (though getting the auditor to agree with you may not be so easy) – Jedi May 02 '17 at 23:43