topic You're adding quite a bit of in Network Security

How to publish applications located on LAN to users comming from Internet

Rowlands Price — Fri, 21 Feb 2020 13:32:09 GMT

Dear Support.

I have a security concern.

I have an application based on my local network, this application locally accessed by http. it's a critical application for the entreprise.

For the business raisons, we need to allow access to users from internet to access the application, read data, push and load files and make others action on the application.

My question is how can i give access to the main application to users comming from internet to an application based on the LAN?

There is a solution to secure the scenario?

Thanks

Is this a homework assignment

Marvin Rhoads — Sun, 19 Jul 2015 02:18:50 GMT

Is this a homework assignment?

Dear Marvin; No, its' not a

Rowlands Price — Sun, 19 Jul 2015 06:41:31 GMT

Dear Marvin;

No, its' not a homework assignment, it's a real enterpise case.

Regards

How does the enterprise

Marvin Rhoads — Sun, 19 Jul 2015 13:31:14 GMT

How does the enterprise connect to the Internet? That is, what device and version of software is in place? Is the enterprise using private IP addresses internally?

Generally speaking we use an access-list of some type on the perimeter security device. That allows incoming traffic to the destination host on specified protocols and ports (i.e. tcp/80 for http). If there's private addressing internally, we also put in place a static network address translation (NAT) or port address translation (PAT) policy to allow the remote clients to use a publicly reachable address.

If the users are all your enterprise users of trusted business partners, we can use virtual private network (VPN) solutions to protect the traffic end to end. Since our application uses insecure http, that solution would be preferred.

Dear MarvinThe enterprise is

Rowlands Price — Mon, 20 Jul 2015 02:18:37 GMT

Dear Marvin

The enterprise is connected to internet by a cisco ASA 5520, there are two interface. gi0/0 sec 0 connected to Internet and Gi0/1 sec 100 connected to lan.

Yes entrerprise is using private IP addresses internally.

For now we are using static nat with ACL coming from internet to a public ip natted with server private one.

My question is for security reasons it's normal to allow traffic comming from internet directly to critical application located on lan?

Or we must use a dmz and push all trafic from internet first to dmz, if yes how to do?

How bank online is working? when you consult your bank account with login and password, our traffic is connected directly to the main server of the bank?

Regards

Well there is seldom a "must"

Marvin Rhoads — Mon, 20 Jul 2015 21:04:40 GMT

Well there is seldom a "must" or "must not" in such things.

Commonly accepted best practice is to use a DMZ. The server is relocated to a dedicated subnet where only publicly accessible servers are located. You allow outside clients to initiate traffic only to the proper ports and protocols on the web server and then further allow the web server to initiate communications to internal resources per its known and required service profile.

There are all sorts of additional hardening measures one can take. I would reiterate the securing of the application traffic via requiring https instead of the completely insecure http. That's one method. Others include things like using a layer 7 Web Application firewall in front of your server. Such functionality is available from most load balancers / application delivery controllers (such as Citrix Netscaler, F5 BigIP, etc.).

That may not be practical for a small shop without any such existing infrastructure and only a single app running on a single server but you asked how larger enterprises such as banks do it. They use multiple layers of security at multiple points in the access, processing and storage subsystems to implement defense in depth.

Thanks MarvinAttached is my

Rowlands Price — Mon, 20 Jul 2015 21:39:01 GMT

Thanks Marvin

Attached is my schema. for now there is no DMZ, only firewall with 2 interfaces. one interface in lan and the other in internet.

Actually the traffic from internet is directly natted to the application server in the lan with http and not http (my concern).

So, i will create a third interface called dmz and place a proxy server on the dmz (like in the scheme)

1-/ Traffic from internet will be directed to proxy server in dmz

2-/ proxy server in dmz will initiate communication with the application server based on the lan

Is this more secure for my enterprise?

Regards.

Yes it is somewhat more

Marvin Rhoads — Mon, 20 Jul 2015 21:44:49 GMT

Yes it is somewhat more secure if you can setup the proxy server as you show in your diagram.

It can be tricky to get it do all the things you need with a web server that's doing more than serving up simple static web pages. I mention this since you had asked about loading data and files earlier. That bit on the configuration is all inside the proxy server though and how it interacts with your web server. That's outside my area of expertise.

More commonly we would see the web server itself be located in that DMZ zone. Both internal and external users would access it there, with the only difference being external users would use the public IP and be subjected to the incoming access-list. Internal users would use the address in the DMZ and not normally be subject to access-list restrictions since they are coming from a higher security level.

OK, thanksso to avoid

Rowlands Price — Mon, 20 Jul 2015 22:16:27 GMT

OK, thanks

so to avoid reverser proxy server in dmz to initiate traffic to the main application, i think it's will be more secure to use another private dmz.

will install another server in the private dmz and the main application will copy all data to the server in private dmz, so reverse proxy server will only initiate traffic with the copy in the private dmz.

The mail application server in lan will update data every time to it's copy in private dmz

attached is the diagram

What do you think about this scenario

Regards

You're adding quite a bit of

Marvin Rhoads — Tue, 21 Jul 2015 02:40:46 GMT

You're adding quite a bit of server complexity for very small incremental benefit in security.

More secure - assuredly. Better reliability - probably not.

"Don't let the perfect be the enemy of the good."