My client's network security person is setting up their new website in a DMZ for security. This makes total sense to me. However, she proceeded to say that it's a best practice that the company employees not be able to access the site internally. For example, to check if the site was up, she suggested they use their phone.
Is this a new thing? Does it even make sense? I've never heard of not allowing company employees to access the company website over their internal network before. I'm not a security person, I'm a developer, so if this is right on the money please let me know, it just seemed unusual to me.
Is this a best practice that companies are implementing now? Is it the advised way to go?
Any information is greatly appreciated. I'm just confused and a little stunned.
Thanks!
They should be blocking the windows domain, directory services and unused ports from the inside network but should allow the necessary web ports for management. The purpose of the dmz is to protect your internal network from the public server, not the other way around. You shouldn't have to the network security guy that the risk is too low to justify the extra costs associated with monitoring the server from the outside. If your security guy has any experience in network security he'll know that this is standard practice. If not, take it to management and tell them that you need them to pay for another internet connection to monitor your servers or ask the security guy to make 1 access list change in his firewall.
A machine in DMZ should not be able to 'connect in' to any machine in your internal network. Machines from your internal network can always connect to the machines in DMZ.
Generally employees have access to the websites (and other services) running in the DMZ, so there is no reason why you should be restricting employees to connect to your own DMZ machine.
So to answer your question:
Is this a best practice that companies are implementing now? No
Is it the advised way to go?
This doesn't make you any more secure that you are.
If the rationale behind this restriction is to prevent possible infection of internal machines from a malware being distributed by your own website, then how is it more secure than getting infected by a malware distributed by a random website.
Related
I am to setup some infrastructure for my company on google cloud. Admittedly I don’t have much experience with network and infrastructure.
I want to create some web apps to be deployed on VMs but I only want employees to be able to access the sites. What is the best practice to achieve this?
I could add login feature on the web apps but I’d rather keep the access control centralised instead. Can I setup a VPC that employees can logon to? Or is VPN the best solution here (although VPN is for connecting cloud with on-premise, right?)
I don't have a lot of expertise about GCE and network, but I saw some solution using Cloud IAP. Maybe this is better than create VPNs. Look this link, perhaps this could help you: https://cloud.google.com/iap/docs/tutorial-gce
I have an ASP.NET web application that has been hosted in IIS local Machine.
My Question is :
Is there any free or paid method that allows browsing this web
application from the internet as Host Server ?
Thanks
The easiest way to to publish it directly onto the internet. You do run the risk of attackers then being able to attach your machine, so you will need to brush up on your security skills. It might be worth looking into one of the free hosting options from AWS, Azure or Google Cloud.
To use your local machine as a web server, first, configure it to use a static IP. Its been a while since I've done it on windows, but this looks about right http://www.howtogeek.com/howto/19249/how-to-assign-a-static-ip-address-in-xp-vista-or-windows-7/.
Next you will need to configure port forwarding on your model. You want to send all traffic on port 80 to your machine, using its new fixed IP address. If your using HTTPS as well, configure port 443 to go to your machine. There are too many different modem brands, all of which handle this slightly differently, to consider offering any more help on this. You will need to do some reading up on your particular modem for step-by-step instructions.
If your internet connection is using a fixed IP, then you can stop here.
If not, or if you just want a domain name, then its worth signing up for a dynamic dns service. I use No-ip, its free, it integrates with my modem and I haven't had any problems with it in the last few years. Once this is in place, you will be able to hit your webserver just like a real one. Using something like "http://mypc.no-ip.biz/mydemoapp/
But again, be warned about exposing your machine on the internet. There are nasty people out there who love to hijack other peoples computers.
Update:
This should give you some guidance on port forwarding
http://www.howtogeek.com/66214/how-to-forward-ports-on-your-router/
Try http://www.noip.com I just logged in and it seemed happy. Otherwise, have a click through all the settings in your modem looking for ddns or dynamic DNS. There is usually a drop down of all the providers that it will talk to. And some providers have apps that you run on your PC , which is easier that working with the modem for some. (Or for models that don't support ddns.)
We're looking to setup some restrictions employees won't have access to social media sites on workstations. However, some workstations needs to have access. One method I've tried was DNS zone, however, I'm not sure how to authenticate for those who needs to have this access. Any solution would be greatly appreciated.
What you are trying to achieve is not possible with DNS, what you are looking for is a proxy server, depending on your environment you can use either Squid Proxy (linux) or Microsoft Internet Security & Acceleration Server (Windows). Each has their own way of restricting access to certain sites based on users and user groups so you would need to review the documentation for the specific site you are after but this should give you a starting point and point you in the right direction.
I've heard from more than one IT Manager that they don't allow users to user RDP to connect to their internal network from the outside, because it's not safe. They claim that if they'd allow their users to do so, then anyone from the outside will have access to their network as well.
I'm not getting it. In order to use RDP, you need a user name and password, and you can't get in without it. The same is for using Gmail, online banking, and any other web service.
So what do they use instead? LogMeIn. Or a VPN connection, and then use internal RDP. VPN also requires a user name and password.
If they're afraid of a brute-force attack, then someone can brute-force attack the VPN server or LogMeIn just the same. And if these other technologies have lockouts (after x number of failed attempts) then why can't the same be set up for RDP?
Similarly, people always say that VPN is very secure because it uses a "tunnel". I don't fully understand what that means, but regardless, why can't the username and password be cracked the same way any website or web service which uses a user name and password can be.
With proper configuration, RDP is capable of 128-bit RC4 encryption, virtually any port or set of port allocations, and has proven to be relatively bug-free, with only extremely minor flaws ever discovered.
On the other hand, the secure tunnel created in a VPN is far more secure than Remote Desktop. All your data is encrypted for safe transfer from one remote location to another.
Moreover, VPN only allows shared content to be accessed remotely to tighten the security. If your device falls in the wrong hands, they won’t be able to access and manipulate unshared data and resources.
The bottom line is that both RDP and VPN have their own advantages, however, with high security, better performance and manageability, VPN seems to be a clear winner in the competition of Remote Desktop VS VPN service.
My college has different proxies for accessing Internet like 192.168.0.2/3/4 and also a specific port number.What is the advantage of using this ? I also would like to know what exactly happens there.I also heard that my institution has different ISP connections shared over the same network. What is the role of proxy there?
It will be very easy to know if you understand what proxies do and why they are used generally. Which could be found on a magical website called www.google.com. By using a proxy, you get more control over the network because all request go through there.Your school may want to do stuffs like traffic shaping, content filtering etc. Using the proxy server will make sure all request to the internet are routed there first.
Proxies are good for a few things:
Filtering. By using a proxy, your college can filter out viruses, porn, Facebook or torrent downloads.
Logging. By requiring a username and password, the college can track what you do with your internet time, and can tell you off if you go somewhere you shouldn't or help you be allowing them to do traffic shaping, or other network maintenance.
Line Bonding. For example, if you have two ADSL lines of 5Mb, you can bond those to get a 10Mb line (normally this is done at the gateway stage, and not the proxy, but it is possible to do it at this stage of the network)
Failover. Again, this would normally be done at the gateway/router stage. This detects which lines are active and routes your traffic to those lines.
Network Connectivity. If your college is in-turn part of a bigger academic network, this could allow crossing those network boundaries to get internet access.
Although those are valid possibilities, it's probably just for Filtering...
In the wider internet, proxies are in use for allowing access to blocked content - like giving China access to Google...