Dual-Server BorderManager Setups
Novell Cool Solutions: Tip
By Craig Johnson
Digg This -
Posted: 6 Sep 2006
For some time I have had a web server in a DMZ between two NBM servers, with the outer NBM server being a reverse proxy for the web server, and the inner NBM server being a forward proxy for our users. We are making some server changes, and I thought now would be a good time to make any changes I can to be the most functional and secure as possible. The web server now needs to communicate with another server on our internal network for data. I would appreciate your comments on the pro's and con's of the way I have it setup versus one of the following:
1. Having the web host on our internal network with just one BM acting as reverse and forward proxy.
2. Keeping both NBM servers, but having the web server on the internal network and still having the outer act as reverse proxy and inner as forward proxy. The web server would be NATed through the inner NBM server.
I know there are probably a multitude of ways to set things up, but I would appreciate any suggestions on the most secure, yet functional.
Setup #1 is the most typical scenario, and the simplest. It's the easiest to manage, and if the web server needs to communicate to other internal servers, it's not really in a true 'DMZ' to begin with.
Setup #2 would work fine as well, but it complicates the scenario with an extra firewall and network segment.
Most secure? Most functional? Those objectives tend to conflict with each other.
First off, consider whether or not you truly have a need to be 'most secure'. What makes the business a target? What make the web server vulnerable?
If the server can be accessed via port 80, it may be subject to some sort of attack via port 80 as well, even through a proxy. However, the reverse proxy at least has the capability of stopping certain types of attacks by use of the signatures in the proxy.cfg file (which have not been updated since the Code Red attacks a few years back).
If you allow port 80 (and/or 443 to the server), reverse proxy is somewhat better security. If it is in a DMZ, and there is no filter exception allowing it to make connections to internal servers, you limit your exposure should the server be compromised. If you have a server inside your network, or in a DMZ and able to connect inside your network from there, you increase the risk somewhat - but maybe you have little to no risk to start with.
I would consider the following options:
1. Plan A - Keep things as they are now, and add some filter exceptions to allow the web server limited connectivity inside your network.
2. Plan B - Move the server inside your network and eliminate one firewall.
3. Plan C - Have a three NIC DMZ with one firewall, with filter exceptions for the web server as needed. At least this eliminates one firewall to maintain.
It's your choice. All are valid and have pros and cons - what you have now is arguably the most secure.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com