[opensuse] How do I make DMZ using virtual machines?
I have been googling, and reading about using a DMZ. But I have yet to find information adequate to allow me to simulate use of a DMZ using virtual machines. I find it easy to make virtual machines, and have no space for extra hardware. What I want to do is set up a couple virtual machines, representing a web server hosting code that represents the business logic layer and UI of a web application, and since it is data driven, the other hosts the database server. I then want to set up a small VM representing the inner firewall, separating the DMZ from the BL and DB server. Then there would be another web server set up in the DMZ, and another small VM to serve as the outer firewall (providing a boundary between the rest of the machines on my LAN and the DMZ). The sources of information I have found so far appear to have presented the concepts well, but they provide little practical information on how to actually make a DMZ. There are several things that are not clear to me. 1) I assume that the two small VMs that serve as my inner and outer firewalls would also act as a kind of bridge, providing routing between my LAN (192.168.2.*) and a subnet (such as 192.168.1.*), represents either my DMZ or the virtual LAN behind the inner firewall; but how is that configured? What tool would I use for that? 2) Does the web server in the DMZ just get configured as some kind of proxy (meaning I only need to configure forwarding in the apache conf files), or do I need to put CGI code on it to validate request data and then forward the request on to the BL server? 3) How do I make ssh work with the DMZ so that I can actually log into the BL and DB servers, for the purpose of administering them? As an aside, how would I ensure that ssh uses only TLS 1.2 or later? This is for my own experimentation, eventually to support my own coding, for the very near term. But, when I deploy to a real host, I suppose I'd have to consult with the hosting provider to configure the provider's firewall(s) to support a DMZ; but doing this with virtual machines here I would expect to help me understand whatever issues are involved in properly using a DMZ to secure a website. I would appreciate any links to resources that show how to do all this, or at least a 'to do list' and a list of tools that could be used to complete each task that must be done. Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Ted Byers wrote:
I have been googling, and reading about using a DMZ. But I have yet to find information adequate to allow me to simulate use of a DMZ using virtual machines. I find it easy to make virtual machines, and have no space for extra hardware. What I want to do is set up a couple virtual machines, representing a web server hosting code that represents the business logic layer and UI of a web application, and since it is data driven, the other hosts the database server. I then want to set up a small VM representing the inner firewall, separating the DMZ from the BL and DB server. Then there would be another web server set up in the DMZ, and another small VM to serve as the outer firewall (providing a boundary between the rest of the machines on my LAN and the DMZ).
Sounds entirely feasible. You definitely don't need real iron for playing with such a setup.
The sources of information I have found so far appear to have presented the concepts well, but they provide little practical information on how to actually make a DMZ.
There are several things that are not clear to me.
1) I assume that the two small VMs that serve as my inner and outer firewalls would also act as a kind of bridge, providing routing between my LAN (192.168.2.*) and a subnet (such as 192.168.1.*), represents either my DMZ or the virtual LAN behind the inner firewall; but how is that configured? What tool would I use for that?
Really just standard network configuration tools - ip route etc.
2) Does the web server in the DMZ just get configured as some kind of proxy (meaning I only need to configure forwarding in the apache conf files), or do I need to put CGI code on it to validate request data and then forward the request on to the BL server?
Typically the webserver is connected to the your business apps via a specific, limited connection. Basic input validation is easily done in the DMZ webserver, then passed to the backends for any further validation.
3) How do I make ssh work with the DMZ so that I can actually log into the BL and DB servers, for the purpose of administering them?
Presumably you are sat on the inside network, so that should not be an issue. If you are not on the inside, I would set up a VPN for administering anything on the inside.
This is for my own experimentation, eventually to support my own coding, for the very near term. But, when I deploy to a real host, I suppose I'd have to consult with the hosting provider to configure the provider's firewall(s) to support a DMZ; but doing this with virtual machines here I would expect to help me understand whatever issues are involved in properly using a DMZ to secure a website.
You could still do it with virtual machines on a rented machine. I wouldn't expect too much help from a hosting provider in this respect.
I would appreciate any links to resources that show how to do all this, or at least a 'to do list' and a list of tools that could be used to complete each task that must be done.
I think you need to decide on an architecture, and then go implement it. This has all the basics, except it's based on a fortigate box - with a bit of abstraction, you should be able to implement the exact same with your virtual machines: http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install... -- Per Jessen, Zürich (16.8°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/08/2015 11:31 AM, Ted Byers wrote:
I have been googling, and reading about using a DMZ.
Using a DMZ typically refers to devices directly connected to the internet, outside of a firewall. For your simulation, you would have machines in the wild<-->firewall<-->internal machines behind a firewall. The external web server would have it's connection to the DB server provided by the firewall using port forwarding. This is a very simple example.
But I have yet to find information adequate to allow me to simulate use of a DMZ using virtual machines. I find it easy to make virtual machines, and have no space for extra hardware. What I want to do is set up a couple virtual machines, representing a web server hosting code that represents the business logic layer and UI of a web application, and since it is data driven, the other hosts the database server. I then want to set up a small VM representing the inner firewall, separating the DMZ from the BL and DB server. Then there would be another web server set up in the DMZ, and another small VM to serve as the outer firewall (providing a boundary between the rest of the machines on my LAN and the DMZ).
The sources of information I have found so far appear to have presented the concepts well, but they provide little practical information on how to actually make a DMZ.
-- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Ken Schneider - openSUSE -
Per Jessen -
Ted Byers