Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1791
Views
0
Helpful
7
Replies

Best practice for setting ip address

arturmelyan
Level 1
Level 1

‎12-29-2019 03:42 AM

Hello,

 

Could you guys please explain me the best practice for configuration of Public ip address for web service(website) whether set it directly on web server which is behind a firewall\waf\ips or set it on firewall and do forwarding to private ip address of web server?

I expect to get an answer in terms of security with a couple of examples connected to attacks from outside and impact of them in both cases. the minor and big differences. 

Also if there are some aspects which should be taken into consideration for the future for scalability and other solution implementations please bring them on as well.

 

Thanks a bunch in advance. 

 

Labels:
0 Helpful
7 Replies 7

Oleg Volkov
Spotlight
Spotlight

‎12-29-2019 04:07 AM

Hi.
It is depend on your case.
Simple case:
You create dmz, place web server to it zone, and use firewall between dmz and inside and outside. Or use WAF . I am drive my car now and can draw simple diagram later
--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎12-29-2019 04:28 AM

Always suggest protecting your Web Server should be Behind (Firewall) s- it is protected kind of attacks rather exposing the Public IP to the internet world.

 

WAF / Reverse proxy / LB is good also if you like to Load balance the Services with Multiple Web Servers for high availability.

 

if this is big level commercial web site with e-commerce, Look at DoS Mitigation products available in the market to redirect the traffic.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

arturmelyan
Level 1
Level 1
In response to balaji.bandi

‎12-29-2019 04:56 AM

I do appreciate your responses.

 

However it wasn't what I have been expecting. 

 

Simply put the question is as follows:

There are a few different web servers, there is BGP AS, there are security appliance(s) such as Firewall, IPS, WAF and Load Balancer. 

How will you prove the concept of setting up the Real IP on Firewall is better than do it straight on Server which is behind above-mentioned appliances?

 

Please post real best practice cases.

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to arturmelyan

‎12-29-2019 05:05 AM

Hope you know the better of your network (not we)

 

However, it wasn't what I have been expecting.   - BB -  this was expected since we do not manage your network, we only suggest based on the query you posted.

 

Simply put the question is as follows:

There are a few different web servers, there is BGP AS, there is security appliances (s) such as Firewall, IPS, WAF and Load Balancer. 

 

BB - Do you have any network diagram and if you don't have one - take spare time to create one HLD, so we as a community understand the requirement and your network

 

The suggestions made in general how the best practice does,It does not mean it work for everyone..so requirement and solution is network and environment-specific.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

arturmelyan
Level 1
Level 1
In response to balaji.bandi

‎12-29-2019 06:17 AM

Well, the diagram is attached. It is really simple infrastructure. nothing extraordinary and complicated.

 

I really understand that your suggested example is best practice. I just would like to understand it practically as a Best practice, not only in words"It is best practice.", so the question is Why?

 

So, based on the diagram, why the real ip should be set on the Firewall "arrowed" interface and it is considered as a best practice? 

 

What kind of other solutions could be expected in the future, that's why we should make NAT forwarding or proxy-ing instead of setting ip on the server and vise versa in advance? and what security-related conditions we should consider in both cases? 

 

 

Thank you. 

 

 

Preview file
41 KB
0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to arturmelyan

‎12-29-2019 08:50 AM

Reverse proxy (it also can be WAF) is good idea, because it allow simple load balance and more... It may be free software like Nginx for web servers. Avoid NAT if possible, use firewall
--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

arturmelyan
Level 1
Level 1
In response to Oleg Volkov

‎12-29-2019 08:43 PM

Hey Oleg,

 

Thanks for your reply buddy.

 

I totally understand what you mean and I am all for avoiding NAT.

What I was looking for here to see I have already found and would like to share with you an example.

 

I was expecting to hear something like Multi Level protection.

Let's say our website has a page for uploading a picture, and the developer didn't care about file filtration and now anyone can upload any file with any extension to the server, not only jpeg. jpg. png. and etc. 

 

Now, a hacker(bad guy) can upload a php script which could establish a tunnel between our server and his machine hence giving an access to a hacker. 

So, if we put a real ip on Reverse Proxy, it is the first level protection which can prevent such scenario, but in the opposite, if the ip on the server there is a chance of successful shell access. Depends how your security reacts, inspect and handle source traffic.

 

Regards, 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card