Ashish, Thanks for the reply.
In fact most of the requests come from external network over the Internet. The idea is if a hacker makes it into the DMZ, he should not be able to open any connections to the internal network. Therefore, the firewall sitting between the DMZ and internal network is configured to block all incoming connections to the internal network, but allows connections to the DMZ from the internal network. As said before, systems in the DMZ will not contain any data of any sort, so there is not much for the hacker out there. Here is what I'm thinking... The Services (FTP/S, SFTP, HTTP/S) in the internal network need to know their DMZ gateways/proxies. During startup of these services, they initiate a connection or a few connections to the DMZ Gateway. These connections can later be used for bi-directional communication between the server in the DMZ and the actual Service sitting in the internal network. When a connection from external client comes in, it is routed to the system in the DMZ. At this point, the DMZ already has pre-established connection(s) so it can send some messages to the internal network such as a new client just connected. Based on the message the DMZ sends, the internal network may open one or more connections. As far as Proxying goes, it is probably going to be a lot easier for HTTP/SFTP, but for FTP/FTPS, the data connection handling could become tricker. In order to handle the data connection in FTP, this Gateway must also filter the packets sent/received. Is that correct? Hope this all makes sense. I've read somewhere on the Internet that this kind of thing can be accomplished with reverse-proxying. Do you guys have any idea on what it means and how it can be implemented. I appreciate any other ideas that you may come up with. Regards, Sai Pullabhotla On Wed, Dec 16, 2009 at 10:03 PM, Ashish <[email protected]> wrote: > On Wed, Dec 16, 2009 at 7:48 PM, Sai Pullabhotla > <[email protected]> wrote: >> Dear Fellow Developers, >> >> I thought this developers group can provide me with some ideas on >> building a DMZ Gateway. Basically, our company has developed a MFT >> (Managed File Transfer) product, which has an FTP/S, SFTP and HTTPS >> services for letting trading partners get/put files. Lately we have >> been getting requests from our customers and prospects that they do >> not want to store any data or credentials in the DMZ. In other words, >> they want all these services running in the internal network. However, >> when a trading partner wants to exchange file(s), they will be given >> an external address which will be routed to a system in the DMZ. The >> system in the DMZ need not know how to validate the credentials or >> need to store any data (files). No connections should be made from the >> system in DMZ to the system(s) in the internal network. However, > > If this can't happen, how would you handle the request coming from > external network? > or it would always be initiated from internal network? > >> systems in the internal network can initiate a connection to a system >> in the DMZ. The system in the DMZ should basically act as a Proxy for >> various protocols where as the systems in the internal network do the >> actual work. At this point I'm looking for various techniques to >> implement this kind of a system. I appreciate any help you guys could >> offer. > > Won't our proxy example be a good place to start ? > >> Regards, >> Sai Pullabhotla >> > > > > -- > thanks > ashish > > Blog: http://www.ashishpaliwal.com/blog > My Photo Galleries: http://www.pbase.com/ashishpaliwal >
