Answer for:

Options for opening up an internal webpage to the internet

Message 6 of 5

View entire thread
1 Votes

First of all, your DMZ idea is 100% correct, that's how you expose apps to the web.

Untangle is a very good app, but as Rob Kuhn recommended, in terms maximum throughput with least security risk, I would bet on a Cisco ASA or even a Sonicwall box to define the DMZ and provide the SSL VPN, if that's the direction you go in.

Hardware firewalls beat software firewalls anytime in most cases (exception Vyatta on VMware), and doubly so for a VPN solution where a lot of packet processing is needed, so when you scale up over 20-30 users, you're going to hit the wall with anything server-based, while a hardware-based (e.g. hardware router/vpn) is what you will need.

While a SSL VPN like Adito is more secure than just a plain server, it is not going to do exactly the same thing...serve up web pages. Their web-forwards are not quite the same thing.

Don't forget, an Adito box in your DMZ is a web server, with a login screen, and a database, and it needs to have one or more ports open. I know Adito OpenVPN real well, been using it for many years. (I am not meaning to say bad things about it, but it's just a web server with an OS, and it needs to be configured/protected/monitored just like any other web server).

I might add that Cisco ASA VPN router has a cleaner and better SSL VPN design than Adito (Cisco WebVPN), and unless you're hosting Adito on a really fast server, the Cisco is going to scale better, be more stable, and has lots more features (you get what you pay for).

Plus if you want to be 100% secure, add two-factor authentication (e.g. RSA SecurID) and then you do not have to worry about users setting weak passwords.

Note, by the way, that the Barracuda Networks SSL VPN appliance IS a fork of OpenVPN (with LOTS more features). So if you want 'Adito on steroids' with better security, more features, and support, you just buy the Barracuda product. (Barracuda simply took the open source code, improved it, and made it closed source in their appliance).

Can you make a web server in your DMZ secure? That's a big 'it depends'.

It's tricky to convey all that's needed here in 5000 words or less, but here goes:

First of all, https with a real (paid) certificate is required. It only solves a small part of the problem. You need to make sure the front door (authentication screens and authentication processes) are locked down, the server is patched, hardened, monitored, and logged. (Web server security 101)

If money were no object, and your objective is to grant access (but not really expose the web app) you would define your DMZ with a Cisco ASA box, then setup a VMware server in the DMZ and host your web server as a guest VM on VMware. The Cisco WebVPN could publish the web pages off the web server in a secure fashion (and handle the authentication and encrpytion). Similarly, you could use the ASA box to simply serve up files for the users from a simple file server in the DMZ.

Not to digress, but there are TONS of advantages to making the server virtual, both from a security, supportability, and recoverability standpoint. (it's very easy and secure to create the DMZ within the vSwitch config of the VMware server, and run a virtual firewall appliance, such as Vyatta or m0n0wall, but I digress).

If you want even more security, issue certificates to your users or even more security, issue them SecurID tokens.