1

I'm not an application developer - Ill start off with that caveat.

In Brief; our development team have asked for me to open a series of ports from WAN to LAN completely bypassing our DMZ. They say this is fine because their api secures the connection first from two webservers in the DMZ (using diffie helman but that's another story) but were a little unsure that having open ports from WAN to LAN can ever be secure - can anyone enlighten me on the viability of this from a security standpoint?

Should not the end user always communicate to the DMZ and then a server within this do all the communication to any internal servers?

Dan
  • 138
  • 2
  • 11

1 Answers1

1

The very idea of having a DMZ zone, is to protect LAN from direct access from internet. Which means the services/servers that require user's access from Internet to function (like Webserver, E-Mail Server etc.) are put on a seperate Network and allowed contolled access from outside. Having a seperate Netowrk segment (DMZ) makes it possible to apply different firewall policies for different segments and access control from one segment to the other. This also makes extensive monitoring of the vulnerable segment possible and in case of a security breach, the internal LAN segments may stay secure.

Therefore, if your organization already has a DMZ net and a policy in place, then the new proposal just violates the very idea of having network segmentation for security and needs to be scruitinized thoroughly. May be an alternative solution keeping the existing network architechture is possible.

Diamond
  • 9,001
  • 3
  • 24
  • 38
  • Can they realistically secure a connection of this type though? I mean we can tell them to rewrite the system as a last resort but i can imagine that would not go down well. – Dan Mar 01 '16 at 10:24
  • Sorry, can't comment on that. I mean of course there are technology to secure communication. But then again, you are violating your own security policy by allowing direct access to LAN. So it is up to the organization to decide themselves, compromising or not. Security often costs money, time and comfort. But every organization has different need and should decide considering all possible options in hand. – Diamond Mar 01 '16 at 10:56
  • well i suppose best effort will have to do for the interim, enforced strong SSL and a better key exchange - we have raised our concerns and we can have our pen testers give it a proper look over next time they are in. – Dan Mar 01 '16 at 13:40