It's more than an architectural and security question I'm trying to determine if a suggested architecture is required is. Let me explain your configuration.
We have a standard DMZ that is basically two firewalls one facing the external and the other that connects to the internal LAN
outside the firewall: < / Strong>
Silverlight Application
In DMZ:
strong>
WCF service (Business Logic and Data Access Layer)
Inside the LAN:
Databases
I am getting input that the architecture is not correct. Specifically, it has been suggested that "a web server has been hacked easily" because we should have a relay server inside the DMJ that communicates with the other WCF service inside the LAN, Will communicate with. External firewall is currently configured to allow only port 443 (https) for the WCF service. Internal firewall is configured to allow SQL connections from the WCF service in DMZ.
Ignoring the implications of the clear demonstration, I do not get the security benefit. To prevent me from polluting my bias, I am going to reserve my decision on this suggestion. Any input is appreciated.
thanks, matte
I think comments made are valid , And in such a case I would probably try "protect-intensive" layers which I could possibly come up with.
Plus, the amount of work you can get to get it can be less than your fear - if you are at .NET 4 (or can move it).
You can use the new .NET 4 / WCF 4 routing service to do this. Quite easily. As an added benefit: You can expose a HTTPS endpoint for the external world, but on the inside, you can use Net TCPbing (which is very fast) to handle internal communication.
To set up a .NET 4 routing service:
Comments
Post a Comment