3

I see a lot of threads on this topic, but I'm still confused, so apologies if this is "obvious" (I'm not a network engineer).

Currently we have a two-zone DMZ/LAN setup. No traffic is allowed from DMZ to LAN but is allowed from the LAN to the DMZ.

I need to allow certain web applications on the LAN to be reachable from the Internet. From what I gather, the best way to do this is through a reverse proxy (in the DMZ?).

However, if I can't reach the internal network from the DMZ, how am I supposed to re-direct traffic from the DMZ to LAN? I'm assuming I would need to open ports 80/443 from the DMZ to the LAN. This seems like it breaks with the entire DMZ directive of not allowing any traffic to flow from the DMZ to the LAN.

In the simplest terms possible, how is this solved? Do you recognize the risks and simply allow only those two ports from DMZ to LAN, or do I introduce an intermediary zone for the reverse proxy (which, in my mind would introduce the same security risks, no?)?

kenlukas
  • 3,101
  • 2
  • 16
  • 26
Dynde
  • 131
  • 2
  • The best way would be to move the applications that need to be reachable from the internet into the DMZ. – Gerald Schneider Jul 29 '19 at 09:12
  • But that would defeat the purpose of a DMZ if those applications depend on data that needs to stay on the internal LAN? – Dynde Jul 29 '19 at 09:30
  • 1
    Well, either you create a tunnel that allows access to the internal LAN, or you move it into the DMZ. Common is also a second DMZ and a firewall that only exposes the needed services to selected hosts in the DMZ. – Gerald Schneider Jul 29 '19 at 09:43
  • A tunnel is basically what a reverse proxy in the DMZ with open port 80/443 to internal LAN is - correct? The second DMZ is my second point, with an intermediary zone, but how is that more secure than simply opening the ports directly from the DMZ to LAN? There'd still be open ports 80/443 from DMZ > DMZ 2 > LAN? Or am I missing something? – Dynde Jul 29 '19 at 10:46
  • Could you clarify on the type or what the application / data is that needs to be reachable? @Dynde – Timothy Frew Jul 29 '19 at 14:19
  • It is a range of applications and data, mostly REST APIs which deal with internal and (in some cases) sensitive data. Authentication/authorization for these APIs is robust and well-built so while it does represent a security risk, I'm not worried about vulnerabilities here. More so in the server/network layout. I don't like opening ports from DMZ to internal LAN, but it seems to me, it really is the only way to do this. I don't understand what security the extra DMZ zone for the reverse proxy provides. – Dynde Jul 30 '19 at 08:18

0 Answers0