Sign in or 
Share this
Chapter 3 - Additional Security DMZ
Additional Security DMZ
For a DMZ with higher security use an architecture that consists of an outside firewall, an inside firewall and a reverse proxy server (RPS). Ideally, the firewalls should be of a different model or make to maintain diversity in the architecture. The inside firewalls should only allow HTTP/HTTPS requests to originate from the RPS and terminate on the web servers. Requests from use to the RPS are loadbalanced by RPS Loadbalancer A(B) and requests from the RPS to webservers are loadbalanced by Loadbalancer 1(2). The rest of the setup from webserver onwards is the same as the ones described earlier.Physical Layout
The following diagram includes these elements:
- Redundant ISP provider connection for high availability.
- Redundant routers 1 and 2 to connect to the internet.
- Redundant three-prong outside firewalls A and B to perform NAT, and connect the corporate network to the DMZ.
- Redundant load balancers A and B to load-balance requests to RPSs 1 and 2.
- Redundant inside firewalls 1 and 2 that provide additional security by moving web servers 1 and 2 away from the DMZ.
- Redundant load balancers 1 and 2 that load-balance requests from RPSs 1 and 2 to web servers 1 and 2.
- Web servers 1 and 2 that communicate to application servers and forward proxy servers not shown in the diagram.
Logical Layout
| Unit | Router 1 (Active) | Router 2 (Standby) |
| IP Address | 123.123.122.2 | 123.123.122.3 |
| Subnet Mask | 255.255.255.0 | 255.255.255.0 |
| VRRP IP Address | 123.123.122.1 | 123.123.122.1 |
| VRRP Priority | 200 | 100 |
| Packet filters (only if the available) | Allow only HTTP/HTTPS to PeopleSoft system. If PeopleSoft portal is to call outside, allow HTTP/HTTPS to outside from PeopleSoft system. Allow rules as needed by other non-PeopleSoft systems. | Same as Unit 1. |
Outside Firewall Setup
| Unit | Firewall A (Active) | Firewall B (Active) |
| IP Address 1 | 123.123.122.6 | 123.123.122.7 |
| Subnet Mask 1 | 255.255.255.0 | 255.255.255.0 |
| Shared Address 1 | 123.123.122.5 | 123.123.122.5 |
| Default Route 1 | 123.123.122.1 | 123.123.122.1 |
| IP Address 2 | 123.123.123.2 | 123.123.123.3 |
| Subnet Mask 2 | 255.255.255.0 | 255.255.255.0 |
| Shared Address 2 | 123.123.123.1 | 123.123.123.1 |
| Default Route 2 | None | None |
| IP Address 3 | * | * |
| Subnet Mask 3 | * | * |
| Shared Address 3 | * | * |
| Default Route 3 | None | None |
Note. Both firewall units have the same security setup.
Access to PIA/Portal from Outside:
| Protocol | Transport Protocol | Source IP | Source Port | Destination IP | Destination Port | Action |
| HTTP | TCP | Any | 80 | 123.123.123.100 | 80 | Allow |
| HTTPS | TCP | Any | 443 | 123.123.123.100 | 443 | Allow |
Access to Outside from Portal/Application Messaging Service:
| Protocol | Transport Protocol | Source IP | Source Port | Destination IP | Destination Port | Action |
| HTTP | TCP | 123.123.123.50 | Any | Any | Any | Allow |
| HTTPS | TCP | 123.123.123.50 | Any | Any | Any | Allow |
| HTTP | TCP | 123.123.123.60 | Any | Any | Any | Allow |
| HTTPS | TCP | 123.123.123.60 | Any | Any | Any | Allow |
Access to Provider’s DNS server from Local DNS Server:
| Protocol | Transport Protocol | Source IP | Source Port | Destination IP | Destination Port | Action |
| DNS1 | UDP | Local DNS | Any | Provider’s DNS | 53 | Allow |
| DNS1 | TCP | Local DNS | Any | Provider’s DNS | 53 | Allow |
Reverse Proxy Server Load Balancer Setup
| Unit | Load Balancer A (Active) | Load Balancer B (Standby) |
| IP Address | 123.123.123.6 | 123.123.123.7 |
| Subnet Mask | 255.255.255.0 | 255.255.255.0 |
| Shared Address | 123.123.123.5 | 123.123.123.5 |
| Default Route | 123.123.123.1 | 123.123.123.1 |
| Virtual IP (portal.corp.com) | 123.123.123.100 | 123.123.123.100 |
| HTTP Service Port | 80 | 80 |
| HTTPS Service Port | 443 | 443 |
| HTTP Persistence (sticky) | Load Balancer Cookie | Load Balancer Cookie |
| HTTPS Persistence (sticky) | Load Balancer SSL Sticky | Load Balancer SSL Sticky |
Reverse Proxy Server Setup
| Unit | RPS1 | RPS2 |
| IP Address 1 | 123.123.123.50 | 123.123.123.60 |
| Subnet Mask 1 | 255.255.255.0 | 255.255.255.0 |
| Default Route 1 | 123.123.123.5 | 123.123.123.5 |
| HTTP Port | 80 | 80 |
| HTTPS Port | 443 | 443 |
Inside Firewall Setup
| Unit | Firewall 1 (Active) | Firewall 2 (Active) |
| IP Address 1 | 123.123.123.16 | 123.123.123.17 |
| Subnet Mask 1 | 255.255.255.0 | 255.255.255.0 |
| Shared Address 1 | 123.123.123.15 | 123.123.123.15 |
| Default Route 1 | 123.123.123.1 | 123.123.123.1 |
| IP Address 2 | 10.0.0.2 | 10.0.0.3 |
| Subnet Mask 2 | 255.255.255.0 | 255.255.255.0 |
| Shared Address 2 | 10.0.0.1 | 10.0.0.1 |
| Default Route 2 | None | None |
Note. Both firewall units have the same security setup.
Access to PIA/Portal from RPS Only:
| Protocol | Transport Protocol | Source IP | Source Port | Destination IP | Destination Port | Action |
| HTTP | TCP | 123.123.123.50 | 80 | 10.0.0.100 | 80 | Allow |
| HTTPS | TCP | 123.123.123.50 | 443 | 10.0.0.100 | 443 | Allow |
| HTTP | TCP | 123.123.123.60 | 80 | 10.0.0.100 | 80 | Allow |
| HTTPS | TCP | 123.123.123.60 | 443 | 10.0.0.100 | 443 | Allow |
Access to Outside from Portal/Application Messaging Service:
| Protocol | Transport Protocol | Source IP | Source Port | Destination IP | Destination Port | Action |
| HTTP | TCP | 10.0.0.50 | Any | Any | Any | Allow |
| HTTPS | TCP | 10.0.0.50 | Any | Any | Any | Allow |
| HTTP | TCP | 10.0.0.60 | Any | Any | Any | Allow |
| HTTPS | TCP | 10.0.0.60 | Any | Any | Any | Allow |
Static Address Mapping on Inside Firewall for Inbound NAT:
| External IP Address | Transport Protocol | External Port | Internal Address | Internal Port |
| 123.123.123.100 | TCP | 80 | 10.0.0.100 | 80 |
| 123.123.123.100 | TCP | 443 | 10.0.0.100 | 443 |
Static Address Mapping on Inside Firewall for Outbound Reverse NAT:
| Source IP | Transport Protocol | Source Port | Translated IP | Translated Port |
| 10.0.0.50 | TCP | Any | 123.123.123.50 | Any |
| 10.0.0.60 | TCP | Any | 123.123.123.60 | Any |
Web Server Load Balancer Setup
| Unit | Load Balancer 1 (Active) | Load Balancer 2 (Standby) |
| IP Address | 10.0.0.6 | 10.0.0.7 |
| Subnet Mask | 255.255.255.0 | 255.255.255.0 |
| Shared Address | 10.0.0.5 | 10.0.0.5 |
| Default Route | 10.0.0.1 | 10.0.0.1 |
| Virtual IP (portal.corp.com) | 10.0.0.100 | 10.0.0.100 |
| HTTP Service Port | 80 | 80 |
| HTTPS Service Port | 443 | 443 |
| HTTP Persistence (sticky) | Load Balancer Cookie | Load Balancer Cookie |
| HTTPS Persistence (sticky) | Load Balancer SSL Sticky | Load Balancer SSL Sticky |
Web Server Setup
All other setup including web server setup is the same as the NAT DMZ configuration.
gregkelly |
Latest page update: made by gregkelly
, Feb 25 2009, 2:45 PM EST
(about this update
About This Update
Edited by gregkelly
view changes - complete history) |
|
Keyword tags:
None
More Info: links to this page
|
There are no threads for this page.
Be the first to start a new thread.
