Hello, Thank you guys for all your feedbacks,
I do agree with you, and you really well understood the problem, my security team stayed in 1999, OK, I'm going to discuss with them to try to change the rules, and I'm going to show them the comic style picture (really nice, this is exactly the problem), Regards, Himer 2017-06-23 8:54 GMT+02:00 Malcolm Turnbull <malc...@loadbalancer.org>: > Lukas, > > Ha, I like the comment about DMZs being a concept from 1999 :-). > Sorry if I'm going slightly off topic. > We put a comic style picture at the bottom of this blog about, “Our > DMZ is so secure we can’t even get into it!” > https://www.loadbalancer.org/blog/what-exactly-is-a-reverse-proxy > I find people are constantly trying to 'work around the DMZ' rather > than just getting rid of them. > And don't get me started on bridges: > https://www.loadbalancer.org/blog/transparent-vs-explicit- > proxy-which-method-should-i-use#bridge-mode > > > Malcolm Turnbull > > Loadbalancer.org Ltd. > > www.loadbalancer.org > > +44 (0)330 380 1064 > malc...@loadbalancer.org > > > > On 23 June 2017 at 00:05, Lukas Tribus <lu...@gmx.net> wrote: > > Hello Himer, > > > > > > this is probably not the response you wanna hear ... > > > > > > > > Am 22.06.2017 um 22:47 schrieb Himer Martinez: > >> Hello Guys, > >> > >> Sorry to botter you with my specific questions :-) > >> > >> Let's imagine a paranoic security team who forbide http and tcp flows > between the dmz zone and the green zone, they estimate that if an hacker > can take control on the dmz zone server they the can access the green zone > from that server, so flows going from the dmz zone to the green zone are > forbidden and blocked by network firewalls, > >> > >> First idea : So what I need is to create something like a reverse > tunnel between the green zone and HAProxy, > > > > Clarification: what you or your security team is saying is: > > > > - a DMZ host establishing a TCP connection to the green zone > > is insecure (even if the only open port is HTTP) > > - a green zone host establishing whatever bidirectional connections > > to the DMZ servers is secure > > > > Is that a correct interpretation? > > > > > > > >> > >> (requests are going from the dmz zone to the green zone with a reverse > connection) > > > > So by reverse tunneling you basically circumvent your > > firewalls and any security policies that may be in place. > > > > You are opening the "DMZ --> Green Zone" path, just in a less > > direct way, and most likely without or with less considerations > > regarding security. > > > > > > > >> Forbidden : > >> Internet --> DMZ --> Green Zone > >> > >> Authorized : > >> Internet --> DMZ <--- Green Zone > > > > This is a ridiculous concept. DMZ needs Green Zone data, either move > > your Green Zone hosts into the DMZ or make the service you need > > reachable (considering security aspects, of course). > > > > By reverse-tunneling you don't gain any security advantage, instead, you > > are over complicating your setup, bypassing most likely restrictive > firewalls, > > opening an attack surface you are not considering. > > > > > > > >> First idea : So what I need is to create something like a reverse > tunnel between the green zone and HAProxy, > > > > What you need to do is analyze your *REAL* requirements, from a security > perspective > > and otherwise, and then build a concept around it. > > > > Instead you are slamming a 1999 "perimeter security" concept on your > network which > > doesn't match your requirements and are now trying to circumvent the > perimeters, > > because otherwise you are unable to provide whatever service you need to > run. > > > > > > Now to the part that you do wanna hear: > > > > How you can one best bypass a perimeter firewall that is blocking one > direction > > of traffic but not the other? Use any VPN that you are familiar with, as > that is > > exactly what they are built for. OpenVPN, strongSwan, etc. > > > > > > > > cheers, > > lukas > > > > > > > > >
