Proper DMZ configuration and use



  • The development team requirement is that if they want to connect to the web server then they need the proxy setting in the client machine.

    If the client machine is not configured with proxy setting , then they can browse all other site expect the web server. if they configure the proxy setting in client machine they should reach the server. This is their exact requirement to test their application is working fine if a proxy is configure.


  • Service Provider

    @JaredBusch said in Need Suggestion:

    @Dashrender said in Need Suggestion:

    @JaredBusch said in Need Suggestion:

    @scottalanmiller said in Need Suggestion:

    What is your goal in that diagram?

    Showing that it is a LAN device that he wants to use the proxy.

    So are DMZs just not a thing anymore?

    I'm curious what the proxy provides in this case?

    DMZ is a lazy answer, and should never be used.

    I don't agree there. DMZs are great but for a different purpose. A DMZ is fine but could never replace the purpose or value of a proxy. Different things. A DMZ instead of other security would indeed be lazy. Generally unneeded. But as long as it is extra, it's fine.


  • Service Provider

    @sreekumarpg said in Need Suggestion:

    The development team requirement is that if they want to connect to the web server then they need the proxy setting in the client machine.

    If the client machine is not configured with proxy setting , then they can browse all other site expect the web server. if they configure the proxy setting in client machine they should reach the server. This is their exact requirement to test their application is working fine if a proxy is configure.

    That's totally different to what you are doing here.



  • @JaredBusch said in Need Suggestion:

    @Dashrender said in Need Suggestion:

    @JaredBusch said in Need Suggestion:

    @Dashrender said in Need Suggestion:

    @JaredBusch said in Need Suggestion:

    @scottalanmiller said in Need Suggestion:

    What is your goal in that diagram?

    Showing that it is a LAN device that he wants to use the proxy.

    So are DMZs just not a thing anymore?

    I'm curious what the proxy provides in this case?

    DMZ is a lazy answer, and should never be used.

    huh - more explanation on that would be great.

    But just having the DMZ doesn't mean that @thwr's suggestion of blocking access via a firewall on the webserver shouldn't be used.

    A DMZ is just dumping everything to a system/subnet. Using a proxy lets you selectively forward on what you want. A proxy gives you a single place to defend and manage, instead of every system on the DMZ subnet.

    A proper DMZ also has firewall rules separating the two networks, so you could skip (read lazy) the firewall on the webhost and only allow traffic to the Proxy. Again, not saying this is needed - actually I bring back my original post.

    @Dashrender said in Need Suggestion:

    So are DMZs just not a thing anymore?



  • @scottalanmiller said in Need Suggestion:

    @JaredBusch said in Need Suggestion:

    @Dashrender said in Need Suggestion:

    @JaredBusch said in Need Suggestion:

    @scottalanmiller said in Need Suggestion:

    What is your goal in that diagram?

    Showing that it is a LAN device that he wants to use the proxy.

    So are DMZs just not a thing anymore?

    I'm curious what the proxy provides in this case?

    DMZ is a lazy answer, and should never be used.

    I don't agree there. DMZs are great but for a different purpose. A DMZ is fine but could never replace the purpose or value of a proxy. Different things. A DMZ instead of other security would indeed be lazy. Generally unneeded. But as long as it is extra, it's fine.

    Please don't misconstrue my question about DMZ to imply that it does all a Proxy can.



  • @sreekumarpg said in Need Suggestion:

    The development team requirement is that if they want to connect to the web server then they need the proxy setting in the client machine.

    If the client machine is not configured with proxy setting , then they can browse all other site expect the web server. if they configure the proxy setting in client machine they should reach the server. This is their exact requirement to test their application is working fine if a proxy is configure.

    as mentioned - the firewall on the webserver needs to block all traffic for webservices not coming from the proxy. That should pretty much be it.


  • Service Provider

    @Dashrender said in Need Suggestion:

    @JaredBusch said in Need Suggestion:

    @Dashrender said in Need Suggestion:

    @JaredBusch said in Need Suggestion:

    @Dashrender said in Need Suggestion:

    @JaredBusch said in Need Suggestion:

    @scottalanmiller said in Need Suggestion:

    What is your goal in that diagram?

    Showing that it is a LAN device that he wants to use the proxy.

    So are DMZs just not a thing anymore?

    I'm curious what the proxy provides in this case?

    DMZ is a lazy answer, and should never be used.

    huh - more explanation on that would be great.

    But just having the DMZ doesn't mean that @thwr's suggestion of blocking access via a firewall on the webserver shouldn't be used.

    A DMZ is just dumping everything to a system/subnet. Using a proxy lets you selectively forward on what you want. A proxy gives you a single place to defend and manage, instead of every system on the DMZ subnet.

    A proper DMZ also has firewall rules separating the two networks, so you could skip (read lazy) the firewall on the webhost and only allow traffic to the Proxy. Again, not saying this is needed - actually I bring back my original post.

    Traditional DMZ design for an app that needed a LAN component was actually always double firewalls with a proxy in between them. So the proxy was normally assumed even in the 1990s.



  • Thanks All

    I will be installing Nginx and will do as per @Dashrender suggestion


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.