ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Proper DMZ configuration and use

    Scheduled Pinned Locked Moved IT Discussion
    8 Posts 3 Posters 909 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • sreekumarpgS
      sreekumarpg
      last edited by

      The development team requirement is that if they want to connect to the web server then they need the proxy setting in the client machine.

      If the client machine is not configured with proxy setting , then they can browse all other site expect the web server. if they configure the proxy setting in client machine they should reach the server. This is their exact requirement to test their application is working fine if a proxy is configure.

      scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @JaredBusch
        last edited by

        @JaredBusch said in Need Suggestion:

        @Dashrender said in Need Suggestion:

        @JaredBusch said in Need Suggestion:

        @scottalanmiller said in Need Suggestion:

        What is your goal in that diagram?

        Showing that it is a LAN device that he wants to use the proxy.

        So are DMZs just not a thing anymore?

        I'm curious what the proxy provides in this case?

        DMZ is a lazy answer, and should never be used.

        I don't agree there. DMZs are great but for a different purpose. A DMZ is fine but could never replace the purpose or value of a proxy. Different things. A DMZ instead of other security would indeed be lazy. Generally unneeded. But as long as it is extra, it's fine.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @sreekumarpg
          last edited by

          @sreekumarpg said in Need Suggestion:

          The development team requirement is that if they want to connect to the web server then they need the proxy setting in the client machine.

          If the client machine is not configured with proxy setting , then they can browse all other site expect the web server. if they configure the proxy setting in client machine they should reach the server. This is their exact requirement to test their application is working fine if a proxy is configure.

          That's totally different to what you are doing here.

          JaredBuschJ 1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @JaredBusch
            last edited by

            @JaredBusch said in Need Suggestion:

            @Dashrender said in Need Suggestion:

            @JaredBusch said in Need Suggestion:

            @Dashrender said in Need Suggestion:

            @JaredBusch said in Need Suggestion:

            @scottalanmiller said in Need Suggestion:

            What is your goal in that diagram?

            Showing that it is a LAN device that he wants to use the proxy.

            So are DMZs just not a thing anymore?

            I'm curious what the proxy provides in this case?

            DMZ is a lazy answer, and should never be used.

            huh - more explanation on that would be great.

            But just having the DMZ doesn't mean that @thwr's suggestion of blocking access via a firewall on the webserver shouldn't be used.

            A DMZ is just dumping everything to a system/subnet. Using a proxy lets you selectively forward on what you want. A proxy gives you a single place to defend and manage, instead of every system on the DMZ subnet.

            A proper DMZ also has firewall rules separating the two networks, so you could skip (read lazy) the firewall on the webhost and only allow traffic to the Proxy. Again, not saying this is needed - actually I bring back my original post.

            @Dashrender said in Need Suggestion:

            So are DMZs just not a thing anymore?

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @scottalanmiller
              last edited by

              @scottalanmiller said in Need Suggestion:

              @JaredBusch said in Need Suggestion:

              @Dashrender said in Need Suggestion:

              @JaredBusch said in Need Suggestion:

              @scottalanmiller said in Need Suggestion:

              What is your goal in that diagram?

              Showing that it is a LAN device that he wants to use the proxy.

              So are DMZs just not a thing anymore?

              I'm curious what the proxy provides in this case?

              DMZ is a lazy answer, and should never be used.

              I don't agree there. DMZs are great but for a different purpose. A DMZ is fine but could never replace the purpose or value of a proxy. Different things. A DMZ instead of other security would indeed be lazy. Generally unneeded. But as long as it is extra, it's fine.

              Please don't misconstrue my question about DMZ to imply that it does all a Proxy can.

              1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @sreekumarpg
                last edited by

                @sreekumarpg said in Need Suggestion:

                The development team requirement is that if they want to connect to the web server then they need the proxy setting in the client machine.

                If the client machine is not configured with proxy setting , then they can browse all other site expect the web server. if they configure the proxy setting in client machine they should reach the server. This is their exact requirement to test their application is working fine if a proxy is configure.

                as mentioned - the firewall on the webserver needs to block all traffic for webservices not coming from the proxy. That should pretty much be it.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in Need Suggestion:

                  @JaredBusch said in Need Suggestion:

                  @Dashrender said in Need Suggestion:

                  @JaredBusch said in Need Suggestion:

                  @Dashrender said in Need Suggestion:

                  @JaredBusch said in Need Suggestion:

                  @scottalanmiller said in Need Suggestion:

                  What is your goal in that diagram?

                  Showing that it is a LAN device that he wants to use the proxy.

                  So are DMZs just not a thing anymore?

                  I'm curious what the proxy provides in this case?

                  DMZ is a lazy answer, and should never be used.

                  huh - more explanation on that would be great.

                  But just having the DMZ doesn't mean that @thwr's suggestion of blocking access via a firewall on the webserver shouldn't be used.

                  A DMZ is just dumping everything to a system/subnet. Using a proxy lets you selectively forward on what you want. A proxy gives you a single place to defend and manage, instead of every system on the DMZ subnet.

                  A proper DMZ also has firewall rules separating the two networks, so you could skip (read lazy) the firewall on the webhost and only allow traffic to the Proxy. Again, not saying this is needed - actually I bring back my original post.

                  Traditional DMZ design for an app that needed a LAN component was actually always double firewalls with a proxy in between them. So the proxy was normally assumed even in the 1990s.

                  1 Reply Last reply Reply Quote 1
                  • sreekumarpgS
                    sreekumarpg
                    last edited by

                    Thanks All

                    I will be installing Nginx and will do as per @Dashrender suggestion

                    1 Reply Last reply Reply Quote 0
                    • 1 / 1
                    • First post
                      Last post