Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DMZ and critical data

from [Mohammad Ali Sarbanha] Network Security [Permanent Link]
Subject: Re: DMZ and critical data
Date: Mon, 10 Jul 2006 08:41:43 +0330
Hi Brian, Pedro,
Thanks for your valuable information, but I'm not sure if virtual machine can help in this issue, suppose if a hacker can remotely execute a code on your server and gain control of your server (even partially) he might be able to breach into your database as well. This would also make many limitations while extending the infrastructure.

Snapshots are sometimes valuable but it depends on the stored data. Becasue, losing the data can be recovered by a backup restoration but the damage of divulged information is sometimes irrecoverable, i.e. credit card information.

Another method is to proxy the webserver! both webserver and database server can be kept on intranet and a proxy server can be installed on DMZ to allow Internet users being able to access corporate intranet webserver. Some more tricks on the firewall (usuing NAT and PAT) would enable you to make conectivity between proxy server and internal webserver.

The advantage of this method is that you still have your critical servers directly inaccessible to the Internet and if you face any problem with your proxy your information is still behind the closed doors! In worst case, if a hacker breachs into your proxy server he still have a long way to get into your internal network.

Kind Regards,
Mohammad-Ali



Brian J. Bartlett wrote:

Hi Pedro,
        " My sugestion is to put a webserver in the internal network and
configure a Vpn, but it is not possible for the client."  I'm a bit
mystified that they can not use a VPN given that free solutions do exist but
given that restriction, and not to add to the other proposed solutions, I
can see two other available approaches.
        The first is to have a second DMZ that is connected only to the
first with appropriate port and network IP address restrictions so that only
the web-based application server can access it.  You would need to make sure
that it is backed up very regularly in case the web-based application server
gets cracked (hacked), which seems to happen with all too much regularity
these days.  Log mirroring to an internal network host would be highly
suggested.  I would also take advantage of network monitoring, with
appropriate filters, to monitor traffic between the web-based application
server and the file and database server.
        Another approach which I have been playing with for the last couple
of years is to host the critical file and database server on a virtual
machine that is only accessible on the VM internal network from the
web-based application server.  In many ways this is no different from using
a second DMZ and you still face the problem of the web-based application
server being cracked (hacked) but there is one significant difference.  It
is very easy to use scheduled snapshots and/or differencing to do the
backups so that very little is lost if/when the worst occurs.  True, you do
need a bit of heft to the host, but many servers today have quite a bit of
headroom now.  Mine certainly does, it barely reaches 3% utilization and it
is running three databases (SQL Server 2000 SP4, SQL Server 2005 SP1,
Progressive SQL).  Even virtualized, there are more than enough resources to
go around on this three year old, single CPU 2.8 GHz Pentium 4, 1 GB RAM
machine.  This approach also simplifies restoration and works quite well
with LDAP, DNS, and other critical servers, especially as there are now
administrative tools that allow you to migrate the virtual machines to
another machine should the host server fail.  Lastly, I would also take
advantage of network traffic monitoring.
        Given how many of the virtualization products are becoming available
for free, and the much lower hardware costs today, it's an approach whose
time has come, I believe.


-Bri


-----Original Message-----
From: Pedro Henrique Morsch Mazzoni [mailto:phmazzoni@gmail.com] Sent: Friday, July 07, 2006 7:23 AM
To: webappsec@securityfocus.com
Subject: DMZ and critical data

Hello,

I am doing a project of network security to a friend of mine.
We will do a back-to-back DMZ, with a external and a internat firewall.
In our project, only the web and mail servers stay in DMZ.
But the company wants to access a webbased application from the internet.
The webserver needs access to a file and a database server, but the
data on this server is critical.
My sugestion is to put a webserver in the internal network and
configure a Vpn, but it is not possible for the client.
I don´t want to put the file and database servers on the DMZ, put if I
put it on the internal network the webserver on the DMZ has to access
the server, wich compromises my security.

Any sugestions?

Pedro Mazzoni

-------------------------------------------------------------------------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------






-------------------------------------------------------------------------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Webscarab how to?, Rogan Dawes
Next by Date:  Intrusion Detection, David Robert
Previous by Thread:  RE: DMZ and critical data, Brian J. Bartlett
Next by Thread:  Intrusion Detection, David Robert
Indexes:  [Date] [Thread] [Top] [All Lists]