Lukas, Ha, I like the comment about DMZs being a concept from 1999 :-). Sorry if I'm going slightly off topic. We put a comic style picture at the bottom of this blog about, “Our DMZ is so secure we can’t even get into it!” https://www.loadbalancer.org/blog/what-exactly-is-a-reverse-proxy I find people are constantly trying to 'work around the DMZ' rather than just getting rid of them. And don't get me started on bridges: https://www.loadbalancer.org/blog/transparent-vs-explicit-proxy-which-method-should-i-use#bridge-mode
Malcolm Turnbull Loadbalancer.org Ltd. www.loadbalancer.org +44 (0)330 380 1064 [email protected] On 23 June 2017 at 00:05, Lukas Tribus <[email protected]> wrote: > Hello Himer, > > > this is probably not the response you wanna hear ... > > > > Am 22.06.2017 um 22:47 schrieb Himer Martinez: >> Hello Guys, >> >> Sorry to botter you with my specific questions :-) >> >> Let's imagine a paranoic security team who forbide http and tcp flows >> between the dmz zone and the green zone, they estimate that if an hacker can >> take control on the dmz zone server they the can access the green zone from >> that server, so flows going from the dmz zone to the green zone are >> forbidden and blocked by network firewalls, >> >> First idea : So what I need is to create something like a reverse tunnel >> between the green zone and HAProxy, > > Clarification: what you or your security team is saying is: > > - a DMZ host establishing a TCP connection to the green zone > is insecure (even if the only open port is HTTP) > - a green zone host establishing whatever bidirectional connections > to the DMZ servers is secure > > Is that a correct interpretation? > > > >> >> (requests are going from the dmz zone to the green zone with a reverse >> connection) > > So by reverse tunneling you basically circumvent your > firewalls and any security policies that may be in place. > > You are opening the "DMZ --> Green Zone" path, just in a less > direct way, and most likely without or with less considerations > regarding security. > > > >> Forbidden : >> Internet --> DMZ --> Green Zone >> >> Authorized : >> Internet --> DMZ <--- Green Zone > > This is a ridiculous concept. DMZ needs Green Zone data, either move > your Green Zone hosts into the DMZ or make the service you need > reachable (considering security aspects, of course). > > By reverse-tunneling you don't gain any security advantage, instead, you > are over complicating your setup, bypassing most likely restrictive firewalls, > opening an attack surface you are not considering. > > > >> First idea : So what I need is to create something like a reverse tunnel >> between the green zone and HAProxy, > > What you need to do is analyze your *REAL* requirements, from a security > perspective > and otherwise, and then build a concept around it. > > Instead you are slamming a 1999 "perimeter security" concept on your network > which > doesn't match your requirements and are now trying to circumvent the > perimeters, > because otherwise you are unable to provide whatever service you need to run. > > > Now to the part that you do wanna hear: > > How you can one best bypass a perimeter firewall that is blocking one > direction > of traffic but not the other? Use any VPN that you are familiar with, as that > is > exactly what they are built for. OpenVPN, strongSwan, etc. > > > > cheers, > lukas > > > >
