Richard,

The best info I've found is in Cisco's book "Network Security
Architectures", and SANS' "Inside Network Perimeter Security".

The basic rule is: never allow high risk connections to high value
networks. IOW, internet sources shouldn't touch my internal servers. If
a web server needs to be publicly accessed, it goes into a DMZ network
(maybe more accurately termed a "screened subnet") off a firewall. That
server is thoroughly hardened, and does not make connections into the
internal network. If there's a database backend to the web server, that
DB server goes into yet another DMZ. Firewall rules strictly control
connections between DMZs and the private nets. Local OS firewalls and
IPSec policies control connections within the DMZs.

On a single firewall with four interfaces, it might look like this:

Internet ---> |
|--Web server DMZ
|
|--Db server DMZ
|
|--Private nets

You can do similar with multiple firewalls.

DMZ servers are initially configured on a test net, an image of the
final config is taken and saved in escrow, then the server is deployed
into the wild-wild-DMZ. Patches and updates to these servers are handled
manually and carefully logged. (Your sys admins will hate you, but it
beats letting them connect through the firewall to an internal patch
server.) Occasionally the server is pulled from production, and the
escrowed image applied. Then the logged patches are re-applied, arriving
at a new final, production install. A new image is taken, and the
machine re-released into the DMZ.

There are times when it's necessary to allow a public web server to
connect to internal machines. Outlook Web Access comes to mind, in which
the web server "must" be a domain member server. In that case, the web
server is fronted by an application-layer proxy firewall.

The books give multiple examples, discuss web services software
architecture in detail, and address VPN remote access, authentication,
mail and DNS services too.

Good luck.

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

> -----Original Message-----
> From: firewall-wizards-bounces@listserv.icsalabs.com
> [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On
> Behalf Of Ginski, Richard J
> Sent: Thursday, March 20, 2008 11:29 AM
> To: firewall-wizards@listserv.icsalabs.com
> Subject: [fw-wiz] Web Services and Firewall/Network Architecture
>
> Hi All,
>
>
>
> There's talk in our org to directly interface one of our
> back-end servers to provide web services for external
> entities via the Internet. On the surface, this is a risky
> option for me. Although firewall "protected", I don't want a
> "protected device" directly interacting with web service
> "consumers" from the Internet. It sounds like a bad idea to me.
>
> I have been searching around looking for sample diagrams
> (etc) on environments that support Web Services. I am trying
> to determine where stuff goes in this environment and how a
> firewall/DMZ fit into the picture. Can anyone point me to
> where info would be available for this? I've checked the
> archives for the past year and checked at OASIS, W3C, OWASP,
> and XML.com, with no luck. The "web services sites" focus on
> coding practices, coding architecture, and coding frameworks.
> Although very important, it's not the info I am looking for.
> We are trying to determine how web services fit in our
> environment using best practices in network design and
> network security to support web services.
>
>
>
> Any help would be greatly appreciated. TIA!
>
>
>
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards