Hello Himer,
this is probably not the response you wanna hear ... Am 22.06.2017 um 22:47 schrieb Himer Martinez: > Hello Guys, > > Sorry to botter you with my specific questions :-) > > Let's imagine a paranoic security team who forbide http and tcp flows between > the dmz zone and the green zone, they estimate that if an hacker can take > control on the dmz zone server they the can access the green zone from that > server, so flows going from the dmz zone to the green zone are forbidden and > blocked by network firewalls, > > First idea : So what I need is to create something like a reverse tunnel > between the green zone and HAProxy, Clarification: what you or your security team is saying is: - a DMZ host establishing a TCP connection to the green zone is insecure (even if the only open port is HTTP) - a green zone host establishing whatever bidirectional connections to the DMZ servers is secure Is that a correct interpretation? > > (requests are going from the dmz zone to the green zone with a reverse > connection) So by reverse tunneling you basically circumvent your firewalls and any security policies that may be in place. You are opening the "DMZ --> Green Zone" path, just in a less direct way, and most likely without or with less considerations regarding security. > Forbidden : > Internet --> DMZ --> Green Zone > > Authorized : > Internet --> DMZ <--- Green Zone This is a ridiculous concept. DMZ needs Green Zone data, either move your Green Zone hosts into the DMZ or make the service you need reachable (considering security aspects, of course). By reverse-tunneling you don't gain any security advantage, instead, you are over complicating your setup, bypassing most likely restrictive firewalls, opening an attack surface you are not considering. > First idea : So what I need is to create something like a reverse tunnel > between the green zone and HAProxy, What you need to do is analyze your *REAL* requirements, from a security perspective and otherwise, and then build a concept around it. Instead you are slamming a 1999 "perimeter security" concept on your network which doesn't match your requirements and are now trying to circumvent the perimeters, because otherwise you are unable to provide whatever service you need to run. Now to the part that you do wanna hear: How you can one best bypass a perimeter firewall that is blocking one direction of traffic but not the other? Use any VPN that you are familiar with, as that is exactly what they are built for. OpenVPN, strongSwan, etc. cheers, lukas
