Ben,
What I meant was the proxy server in the DMZ can't open a connection to the
real server inside the firewall. It can only write on a connection that was
pre-opened by the server inside the firewall.
The security people seem to think that by not allowing new connections to
come in through the Proxy server, the real server inside the firewall would
be safe even if the proxy server is compromised. I am not sure how
convincing the argument is. Please let me know if their assumption is sound.
Again, if you know of some products/implementations of this, please let me
know.
Thanks,
Sumeet
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Sunday, August 20, 2000 7:53 PM
To: 'Sumeet Vij'; [EMAIL PROTECTED]
Subject: RE: How do I do a reverse Invoke
OK, I'm not sure I understand your question. I _think_ you mean that there
are no new connections allowed from the DMZ into the internal network. This
means that the proxy server in the DMZ cannot be used to reverse-proxy the
external requests for WWW data on the internal server.
This is normal.
To solve the problem you will need to reconfigure your firewall or move the
WWW server in question into the DMZ. I would tell your firewall people to
allow inbound connections from the proxy server to the internal WWW source
for port 80. Your extra risk is that if someone compromises the proxy server
then they can start looking for port 80 exploits on the internal server.
Therefore, it follows that your proxy server should be examined for
trustworthiness as a security principal (ie make sure it's not going to fall
over).
What I _think_ you're talking about would have the same effect as allowing
the proxy-server to talk to the internal network except that it probably
wouldn't work and even if it did it would almost certainly break something,
security-wise.
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Sumeet Vij [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, 19 August 2000 2:53 AM
> To: [EMAIL PROTECTED]
> Subject: How do I do a reverse Invoke
>
>
> Hey folks,
> My problem is like this
> * I have two app servers, one in the DMZ and another on the corporate
> intranet protected by a firewall. * * Due to security
> restrictions, the
> firewall has been configured to only allow connections to be
> opened from
> inside i.e. only the server on the corporate intranet can
> make a connection
> to the proxy server in
> the DMZ outside the firewall.
> * Clients from the internet will be connecting to the Proxy
> in the DMZ. The
> proxy then has to send the
> request on the already open connection, which was initiated
> by the server
> inside the firewall,and then get the response when the server
> inside the
> firewall opens another connection as the response.
> Therefore the requests coming in from the internet,go from
> the proxy in the
> internet to the real server as responses to a pre-existing
> request opened by
> the real server.
> I hope I made the situation clear. I want to know if you have
> seen another
> product out there which does this or somebody who has
> implemented a solution
> to this already.
> A reply will really appreciated.
> Thanks,
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
