Hypothetical internet security question...


Recommended Posts

Say I have a public website, hosted by a 3rd party company who knows where. Say I have an internal business network with a local intranet portal broadcasting using Apache on an internal server. Right now, that intranet page prompts for domain creditials and authenticates via LDAP to the internal AD server as well. The entire internal network is protected by a Fortigate gateway. VPN access is setup for certain users but say we are wanting anyone with an AD account to access this portal via the outside web page like they can internally.

Now, say I want to make this internal web portal available thru the public website, say www.mydomain.com/portal

What is the *correct* way to do this so that the portal server is not open to hacking along with my AD server? I'm also worried about the entire internal network being hackingable from the outside at this point as well. Is this just a huge no-no no matter what?

Thanks!

Link to comment
Share on other sites

Normally the webserver would be in a dmz on your network, or call it a firewalled segment if you will.

So even if it is exploited, its isolated from rest of your internal network. There would only be pinholes in the firewall to rest of your internal network to allow for access it needs to function, for example check your AD for auth.

You might also want to put in a reverse proxy - which means outside user talks to the proxy box which is in the dmz and isolated as well. This proxy box then then talks to your webserver. So would be attackers never actually have direct access to the webserver.

edit: Keep mind the dmz and reverse proxy are still behind a firewall and only ports open to them are the ones needed to be. If you using a reverse proxy - some people feel that its ok to move the webserver now into the internal network. But you can also leave both of them inside the dmz if you wish.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.