OT: Network Layout

[Phillip Ian]

This is a bit off-topic, but I figure at least some of us developing
ASP.NET apps sometimes have to get involved with the network layout we
deploy on, and I'm at a loss as to where to find out more info. I'm a
software guy by trade, but sometimes I have to...push the network guys
a bit.

Basically, I've got an app that needs to be accessible from the
internet. The way the network folks want to do it is to put my whole
app on a server outside the firewall, in a subdomain
(myapp.ourdomain.com). We can then poke through the firewall to get me
at the SQL database on the LAN side of things.

To me, this just opens up that whole machine to attack, and since we
have several different apps on different servers, there are several
machines just sitting out there.

Ideally, what I'd like to see is a call such as
http://ourdomain.com/myapp, and all such calls go to ONE server outside
the firewall, and then it pokes through the firewall to feed the web
page or whatever from each of these several servers on the LAN. Now,
there's only one machine accessible to the outside world, and the only
access allowed to cross the firewall is from that machine. Each
virtual directory on the exposed server would simply hand the request
off to the proper server for processing, and return the results.

Is anything like this even possible? And does anyone know where I can
find more information on creating this sort of configuration? I've
browsed msdn.microsoft.com, but I'm not even sure what I'm looking for,
never mind how to find it.

Any input appreciated!

 

[clintonG]

You sound like a guy that would hold his wife and kids in front of him to
protect himself from danger. What the hell is the matter with your common
sense? The whole idea of putting your machine into a DMZ is to protect the
wife and kids. Get it? Trust your colleagues and work with them.

<%= Clinton Gallagher
METROmilwaukee (sm) "A Regional Information Service"
NET csgallagher AT metromilwaukee.com
URL http://metromilwaukee.com/
URL http://clintongallagher.metromilwaukee.com/

 

[Bruce Barker]

yes, it the firewall infront of your server. typically only the http(s)
ports will be will be open. the firewall behind the server is called the
dmz.

the network guys want the server infront of the dmz because it may be taken
over through a webrequest (bug in asp.net or iis). once taken over, if its
behind the firewall it has access to the whole internal net, if its in
front, it can only attack resources allowed thru the fire wall.

a better approach is to break you app in to 2 layers, a presentaion layer
running in front of the dmz, and a backend business layer behind the dmz.


-- bruce (sqlwork..com)

 

[Phillip Ian]

Thanks, Bruce. I think I'm following that.

I guess I'm just wondering if we can have just one machine in the DMZ,
which redirects incoming requests to the machines inside the firewall,
rather than having to put several servers out in the DMZ, which seems
to be an increased risk.

That way, I could have both public and private apps on the inside web
server, and the server in the DMZ would only let requests in for the
public apps.

Something like:

http://ourdomain.com/publicapp1 <--|-->
http://insidefirewall/publicapp1
http://ourdomain.com/publicapp2 <--|-->
http://otherinsideserver/publicapp2

And if I have an app (privateapp1) on machine insidefirewall, there
would be no way to get to it from the outside world.

I guess I can simply ask for another server, and put our public apps on
one in the DMZ and keep the private apps on the inside one.

Anyway, thanks for not assuming I hate my wife and kids.

-Phil