0

I am a novice to network security domain. For one of our clients, we are trying propose a network model where an Apache proxy/web-server which will be the only one that is exposed into the DMZ(Demilitarized Zone) and application servers/DB will be inside the WAN. But the client is insisting on keeping an application server running out in the DMZ.

We know that its a security risk but we are not able to back ourselves by putting solid points across .

The questions I have are,

  • would exposing just 80 or 443 still compromise the security?
  • Can a hacker push bots or take control of the server and in turn reach the internal network?
  • What kind of security measures need to be taken given this approach?

Note: We are using Windows servers.

Xander
  • 35,525
  • 27
  • 113
  • 141
manu bhat
  • 1
  • 1
  • 1
  • 2
    The [OWASP Top 10](https://www.owasp.org/index.php/Top_10_2013-Top_10) is a list of the most prevalent types of attacks that effect web applications. Attacks don't target ports, (80, or otherwise) they target vulnerable applications. What the attacks can accomplish is entirely dependent on the specific application. – Xander Aug 08 '14 at 14:06
  • Well, every network is vulnerable, See the network example in the Treasure Hunt dataset. It show an example where the Web Server was in DMZ. The attacker attack the Web Server in the DMZ and use the compromised web server to attack the DB server in the private LAN. http://ictf.cs.ucsb.edu/data/treasurehunt2002/ – Ubaidah Aug 08 '14 at 19:41

2 Answers2

2

WAN or LAN?

would exposing just 80 or 443 still compromise the security?

Yes it would - there could be numerous vulnerabilities in the web app that an attacker could use to gain control of it.

Can a hacker push bots or take control of the server and in turn reach the internal network?

Yes, once they have control of the web server they might be able to leverage that access to gain control of other machines. It very much depends on which other internal servers that machine can communicate with.

What kind of security measures need to be taken given this approach?

I would recommend you hire a security firm to pen test this. Before deployment you could arrange for you application to be audited in a separate environment.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
0

I agree with your client.

I would much rather see a 3 tier architecture than a Web/Proxy communicating directly to a DB server on your internal network. (2 Tier)

Ideally you would have:

(Web DMZ) --> (App DMZ) --> (Internal Network)

Or better yet:

(Web DMZ) --> (App DMZ) --> (Database DMZ)

Please reference:

enter image description here

The WebDMZ is the presentation tier. The AppDMZ is the logic tier. The Internal Network or DBDMZ is the data tier.

The WebDMZ (presentation tier) should be the only tier exposed to the internet.

k1DBLITZ
  • 3,933
  • 14
  • 20
  • I don't think that's what the OP meant. There are three tiers, but now the second tier lives in the DMZ alongside the first tier, rather than in internal network with the third tier. – Xander Aug 08 '14 at 20:07