RE: ASP, Biztalk server SQL DB and Firewall architecture.

My 2 cents...

It's a good DMZ security practice to avoid allowing any connections to the private network to be initiated from the dmz. Helps reduce likelihood of that connection mechanism to be exploited. You could set up a scheduled job on your BizTalk server that would poll the web server periodically for new files, and pull them down. You could do this via a secure method like ipsec, ssh, etc. You probably have some method for remotely copying files to the DMZ web servers already, and you may be able to simply use that method, just automate it.

If you need the files to be copied to the BizTalk server on demand (i.e. the customer needs immediate confirmation the files have been uploaded to the back-end), you could set up a method by which your web server sends a message (via a more secure protocol like http? :) to the BizTalk server to pick up the files, then use the above automated copy method (or something like it) to pull the files from the web server. This breaks the rule of NOT initiating communications from the DMZ, but at the least it mitigates some risk by not allowing any method that pushes files from the DMZ to the private network.

If you don't care about whether communications are initiated, and files pushed, from the DMZ, then the sky is the limit. Although you'd be adding some risk to your environment.

Sincerely
Marcus

-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill@gilltechnologies.com] Sent: Wednesday, November 20, 2002 8:19 AM To: focus-ms@securityfocus.com
Subject: ASP, Biztalk server SQL DB and Firewall architecture.

Greetings folks,

I am facing the following problem and hope to get some valuable advise from all of you. I would appreciate it if there could be some response on this.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

In our architecture, we have a web server, a Biztalk server and a database server. The Web server hosts the ASP page where the external customer will access. The external customer will submit files via this ASP page. ASP page will upload the file and store in some directories so that BIZTALK can process.

But now the problem is that Web server is hosted in DMZ(between external and internal firewall), and Biztalk server and database server are hosted behinds the firewall. Also, since the file receive function of BIZTALK can only poll the file from the local hard disk, the files to be processed by BIZTALK must somehow be available in BIZTALK server.

Can ASP sitting in DMZ upload the file to the BIZTALK server which is sitting behind firewall? Can BIZTALK server be accessible from web server since they are separated by firewall. If yes is there any setting needs to be done to achieve this? Or is there other better methods that u can think of to process the file using the current architecture? Do u knows what are the common implementation for this type of scenerio?

Thanks in advance for the help.

Kind Regards
Gill Received on Mon Nov 25 22:51:25 2002