Best cross-firewall client/server application design

Best cross-firewall client/server application design

What is the best cross-firewall client/server application design? Suppose my client/server application may have either side behind a firewall. Does it require a dedicated port? Should we use HTTP tunneling? How should we protect the server from DoD attacks? What about SSL?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

I'm not sure exactly what you are asking for, but I'll take a shot.

First, most applications that require client/server type applications exist in a layered architecture. This means there are external parameter firewalls (packet filtering), DMZ and, finally, a secure bastion firewall on the inside. More important, there is a DMZ in place!!!

Second, you want to connect to an application server in the DMZ, then to the Server. I would not place the database server in the DMZ, but I would place an application service (Web server) in the DMZ. This device should NOT be in a domain (if using an NT network), instead it should be stand alone.

Third, you may HTTPS (SSL) to the DMZ from where ever, thus that connection is encrypted.

Finally, the connection from the DMZ application to the server is the only connection allowed through the firewall to the internal private DMZ or network. I would make this a non-standard port not used by any other application. This connection could be any form of SSL, SSH or other method. When this link is also encrypted, it ensures there is no traffic in clear text.

This would wrap up any malicious code or vulnerabilities. DDOS and other attacks should not penetrate. Also, remember the following actually keep this configuration working:

  • Written policy for all devices and the items below
  • Written incident response plan for when/if an attack makes it through
  • Auditing of firewall and any other logs
  • Use of IDS (a good IDS, with monitoring)
  • Policy for access to these devices
  • OS hardening policy for these devices
  • Auditing of all devices on a regular basis
  • Updates to all OS and applications on a regular basis
  • Don't use Windows unless you have to because of patch-release frequency. If you have enough people this is okay, but if not use a Managed Service such as RipTech, Brinks or Foundstone.
  • Use managed services for IDS, firewalls and network devices if you do not have the manpower. Setting up a good security infrastructure is only as good as the last time you have audited and updated the devices.
  • Last but not least, ensure that management provides support for the entire effort and doesn't consider this the first thing to cut in the time of a budget crunch. The best words to use when/if this occurs is, "Remember Kmart, for they failed to keep IT as a priority and made it a cutting item..."

    For more information on this topic, visit these other SearchSecurity.com resources:
    Best Web Links: Demilitarized zone
    Best Web Links: Firewalls
    Best Web Links: Outsourcing

    • This was first published in February 2002