Dear Marvin;

No, its' not a homework assignment, it's a real enterpise case.

Regards

How does the enterprise connect to the Internet? That is, what device and version of software is in place? Is the enterprise using private IP addresses internally?

Generally speaking we use an access-list of some type on the perimeter security device. That allows incoming traffic to the destination host on specified protocols and ports (i.e. tcp/80 for http). If there's private addressing internally, we also put in place a static network address translation (NAT) or port address translation (PAT) policy to allow the remote clients to use a publicly reachable address.

If the users are all your enterprise users of trusted business partners, we can use virtual private network (VPN) solutions to protect the traffic end to end. Since our application uses insecure http, that solution would be preferred.

Dear Marvin

The enterprise is connected to internet by a cisco ASA 5520, there are two interface. gi0/0 sec 0 connected to Internet and Gi0/1 sec 100 connected to lan.

Yes entrerprise is using private IP addresses internally.

For now we are using static nat with ACL coming from internet to a public ip natted with server private one.

My question is for security reasons it's normal to allow traffic comming from internet directly to critical application located on lan?

Or we must use a dmz and push all trafic from internet first to dmz, if yes how to do?

How bank online is working? when you consult your bank account with login and password, our traffic is connected directly to the main server of the bank?

Regards

Thanks Marvin

Attached is my schema. for now there is no DMZ, only firewall with 2 interfaces. one interface in lan and the other in internet.

Actually the traffic from internet is directly natted to the application server in the lan with http and not http (my concern).

So, i will create a third interface called dmz and place a proxy server on the dmz (like in the scheme)

1-/ Traffic from internet will be directed to proxy server in dmz

2-/ proxy server in dmz will initiate communication with the application server based on the lan

Is this more secure for my enterprise?

Regards.

Yes it is somewhat more secure if you can setup the proxy server as you show in your diagram.

It can be tricky to get it do all the things you need with a web server that's doing more than serving up simple static web pages. I mention this since you had asked about loading data and files earlier. That bit on the configuration is all inside the proxy server though and how it interacts with your web server. That's outside my area of expertise.

More commonly we would see the web server itself be located in that DMZ zone. Both internal and external users would access it there, with the only difference being external users would use the public IP and be subjected to the incoming access-list. Internal users would use the address in the DMZ and not normally be subject to access-list restrictions since they are coming from a higher security level.

OK, thanks

so to avoid reverser proxy server in dmz to initiate traffic to the main application, i think it's will be more secure to use another private dmz.

will install another server in the private dmz and the main application will copy all data to the server in private dmz, so reverse proxy server will only initiate traffic with the copy in the private dmz.

The mail application server in lan will update data every time to it's copy in private dmz

attached is the diagram

What do you think about this scenario

Regards

You're adding quite a bit of server complexity for very small incremental benefit in security.

More secure - assuredly. Better reliability - probably not.

"Don't let the perfect be the enemy of the good."