Http/https Network Security Application Analysis

Web servers are the most common targets of attacks in enterprises. The design and deployment of web servers on the company's network is a topic worth exploring. Let's talk about it. First look at the figure

 

650) this. width = 650; "border = 0>

This is a simple 2-Layer web design. From the perspective of attacks, the master web server and the Application Data Server are in the same network segment. This means that the attacker must first attack the firewall or web server, in order to directly communicate with application data, that is, attackers can control the Application Data Server (in the same network segment) without any effort, even pvlan. We obviously lose the benefits of server segmentation. The best practice is to place the server on the Interface separated by the firewall, so that even if the web server is controlled, he also needs to return a firewall attack to the application data server, which is the design significance of this topology.

Inbound traffic of internal interfaces

Access-list 101 deny tcp any host 192.0.3.10 eq www
Access-list 101 permit tcp 192.168.100.0 0.0.255 any eq www
Access-list 101 permit tcp 192.168.100.0 0.0.255 any eq 443

Inbound direction of External Interfaces

Access-list 102 permit tcp any host 192.0.2.55 eq www
Access-list 102 permit tcp any host 192.0.2.55 eq 443
Access-list 102 deny tcp any host 192.0.3.10 eq www
Access-list 102 deny tcp any host 192.0.3.10 eq 443

Inbound direction of p1

Access-list 103 permit tcp host 192.0.2.55 host 192.0.3.10 eq www
Access-list 103 permit tcp host 192.0.2.55 host 192.0.3.10 eq 443
Access-list 103 deny tcp any
Access-list 103 deny tcp any eq www
Access-list 103 deny tcp any eq 443

 

 

P2 inbound

Access-list 104 permit tcp host 192.0.3.10 host 192.0.2.55 eq www
Access-list 104 deny tcp any eq www
Access-list 104 deny tcp any eq 443

Let's look at the three-layer web design case.

 

650) this. width = 650; "border = 0>

Design requirements: 1. Allow only external networks to access the web Server

2. allow web servers to access the Application Data Server

3. The application server only responds to requests from the web server.

4. Allow the application server to send requests to the Database Server

5. The database server only responds to the Application Server

6. The internal network can only access web services.

In direction of FW-1 external interface

Access-list 101 permit tcp any host 192.0.2.53 eq 80
Access-list 101 permit tcp any host 192.0.2.53 eq 443
Access-list 101 deny tcp any eq 80
Access-list 101 deny tcp any eq 443

In direction of FW-1 boundary interface
Access-list 102 permit tcp host 192.0.2.53 host 192.0.3.3 eq 80
Access-list 102 deny tcp any eq 80
Access-list 102 deny tcp any eq 443

In direction of the internal boundary interface of the FW-1