We are setting up a PCI Compliant infrastructure where most of our applications are running in a DMZ (demilitarised zone) that contain no sensitive information. The part that contains sensitive information is secured in a private subnet.
We have two issues.
The first is that some requests coming in will contain sensitive information. Our solution to this is to create a reverse-proxy within the secured network (not in the DMZ - hence the proxy will be subject to auditing) that will route the request either to the DMZ or the secure private subnet.
If the request goes to the secure network, the secure network will store the sensitive information and then route the request to the DMZ without that information to continue processing. Should we do this, would the DMZ be able to return a response to the user via the proxy?
The problem with this is that the proxy will be public facing. It will not store sensitive information but they will pass through it, hence, it will be subject to auditing and security.
The second issue is that we have a specific file that needs to be served from a PCI compliant server. Since our compliant servers are in a private network, how can we do this? Should we create one public-facing small server to serve this file? What are other solutions to this issue?
Thank you,
