Home > Ask the Security Experts > Questions & Answers > Best cross-firewall client/server application design
Ask The Security Expert: Questions & Answers
EMAIL THIS

Best cross-firewall client/server application design

Ed Yakabovicz EXPERT RESPONSE FROM: Ed Yakabovicz

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 14 February 2002
What is the best cross-firewall client/server application design? Suppose my client/server application may have either side behind a firewall. Does it require a dedicated port? Should we use HTTP tunneling? How should we protect the server from DoD attacks? What about SSL?

>

I'm not sure exactly what you are asking for, but I'll take a shot.

First, most applications that require client/server type applications exist in a layered architecture. This means there are external parameter firewalls (packet filtering), DMZ and, finally, a secure bastion firewall on the inside. More important, there is a DMZ in place!!!

Second, you want to connect to an application server in the DMZ, then to the Server. I would not place the database server in the DMZ, but I would place an application service (Web server) in the DMZ. This device should NOT be in a domain (if using an NT network), instead it should be stand alone.

Third, you may HTTPS (SSL) to the DMZ from where ever, thus that connection is encrypted.

Finally, the connection from the DMZ application to the server is the only connection allowed through the firewall to the internal private DMZ or network. I would make this a non-standard port not used by any other application. This connection could be any form of SSL, SSH or other method. When this link is also encrypted, it ensures there is no traffic in clear text.

This would wrap up any malicious code or vulnerabilities. DDOS and other attacks should not penetrate. Also, remember the following actually keep this configuration working:

  • Written policy for all devices and the items below
  • Written incident response plan for when/if an attack makes it through
  • Auditing of firewall and any other logs
  • Use of IDS (a good IDS, with monitoring)
  • Policy for access to these devices
  • OS hardening policy for these devices
  • Auditing of all devices on a regular basis
  • Updates to all OS and applications on a regular basis
  • Don't use Windows unless you have to because of patch-release frequency. If you have enough people this is okay, but if not use a Managed Service such as RipTech, Brinks or Foundstone.
  • Use managed services for IDS, firewalls and network devices if you do not have the manpower. Setting up a good security infrastructure is only as good as the last time you have audited and updated the devices.
  • Last but not least, ensure that management provides support for the entire effort and doesn't consider this the first thing to cut in the time of a budget crunch. The best words to use when/if this occurs is, "Remember Kmart, for they failed to keep IT as a priority and made it a cutting item..."

    For more information on this topic, visit these other SearchSecurity.com resources:
    Best Web Links: Demilitarized zone
    Best Web Links: Firewalls
    Best Web Links: Outsourcing

    		•

    BROWSE BY TAG
    DMZ Setup and Configuration,   NAC and Endpoint Security Management,   Enterprise Network Security,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    DMZ Setup and Configuration
    Endpoint protection best practices manual: Combating issues, problems
    How to set up a DMZ
    How to configure firewall ports for webmail system implementation
    When should a database application be placed in a DMZ?
    How will many firewalls serving as the default gateway affect the DMZ?
    Should a domain controller be placed within the DMZ?
    If one server in a DMZ network gets attacked from outside, will the other servers be corrupted?
    Should an ISP keep corrupted machines off of a network?
    A security checklist: How to build a solid DMZ
    Server considerations for internal network application setup

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    DMZ  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts