cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
512
Views
5
Helpful
12
Replies

Secure access to Web-Application Server

Imran Ahmad
Level 2
Level 2

Hello Experts,

We want to put a Web-Application Server inside our DMZ connected to Cisco ASA.     I want to know, how can i secure/encrypt the traffic transiting my firewall which gets into my Web-Application Server?  

Please advise

Waheed

12 Replies 12

gaowen
Level 1
Level 1

This question doesn't make a whole lot of sense. You want to encrypt HTTP traffic after it arrives from the internet on toward your web server? I can't think of a single use case where that would add any value, although you could use a site to site VPN to another security device in the DMZ which would achieve this.

Hi Gaowen,

i want to clarify alitle more. We have  core database server located in our Datacenter. Our database developer team has built a Web-Application-Server (that is not web server) which is put in our DMZ . This web-app server will be accessable from outside , public users will login to this web-app server through web to access thier accounts which exist in the Core-database server located in our Datacenter. That mean this web-app server will have connection to the core database server. 

i want to encrypt only the username and password which public users type when they try to login to thier account through web.  How to do that?

Anyone can give any idea

Hi Imran,

"i want to encrypt only the username and password which public users type when they try to login to their account through web"

This you may need to look for any available third party solution, but also keep in mind that it makes your t-shoot hard, when user types wrong user id (encrypted) etc. However, to add addl security to your webserver  (and traffic exchanged between user PC <-> Server), few suggestions below

Few suggestions (assuming you only have a traditional ASA)..

1. Allow only 'https' (with higher tls) connections only to DMZ server from Internet

2. Implement two factor authentication  (passscode + RSA token code) to log on to webserver.

3. Strong certificate

4. If you know the public IPs from where users initiate connections - allow those IPs only.

hth

MS

Hi mvsheik,

you suggested me 4 options.  option 1 and 4 is configurable on the ASA.    but options 2 & 3  are not belong to ASA, i need to implement them on the Webserver right ?    like i need install a signed certificate on to my webserver ? the ASA is not involved and need any certificate itself, because ASA is not doing this authentication process.    am i right ?

That is correct, Imran.

Thx

MS

Thank you mvsheik for your support

Any idea anyone else, plz 

anyone else can give me idea?

Anyone can give idea plz ?

.

Hello,

I still can't figure out what you're trying to achieve here:

"Our database developer team has built a Web-Application-Server (that is not web server) which is put in our DMZ . This web-app server will be accessable from outside , public users will login to this web-app server through web"

Is it a web server or not?

If you are trying to use the network to encrypt just the username and password, you are going to need to do something very bespoke. I'd recommend just using a remote access solution from the internet into your DMZ then once the VPN is established then users will be able to submit their credentials to the web server, which won't be in the DMZ, it'll be in a more secure zone.

Gareth

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: