Operating System - HP-UX
1827876 Members
1552 Online
109969 Solutions
New Discussion

Moving http upload/download application from inside the firewall to DMZ

 
Dhandu Subramanian
Occasional Contributor

Moving http upload/download application from inside the firewall to DMZ

Hi
I have a http upload and download application that I am thinking of moving from inside company network to DMZ.
I am aware that I need to open up certain ports to get to the database.
Question is: How does the the http upload/download performance changes in moving the app within the network to DMZ
2 REPLIES 2
John Bolene
Honored Contributor

Re: Moving http upload/download application from inside the firewall to DMZ

You will need a registered Internet IP for the DMZ machine, but you already knew that. In opening the ports, you will want to check for the originating IP of the DMZ machine and only allow those commands into the ports, but that should be a function of your firewall.

Performance should not be that much different but it is dependant on how fast your firewall machine is in passing the packets.

Protecting the DMZ machine is the real key here, as it will be the machine with access to the inside.

If this does not help, I may not have understood the question.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
Steven E. Protter
Exalted Contributor

Re: Moving http upload/download application from inside the firewall to DMZ

If the firewall machines are fast enough to handle the load you should be okay there.

You need to worry about your HP-UX box getting hacked.

Here are a coulple of good ways to prevent that.

Prior to the move, install and run this utility... Bastille Security hardening tool.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProducts.pl?group_type=search&group_name=Bastille&search_free=1&search_trial=1&search_buy=1

Bastille will improve UX performance if you let it by letting you disable insecure and obsolete daemons.

Also useful is security_patch_check

https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6834AA&date=

Bastille give you the option of scheduling this puppy in cron, but it helps keep you up to date on security patches.

You also want to stop using telnet with this box and use secure shell which transmits passwords encrypted.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProducts.pl?group_type=search&group_name=Secure+Shell&search_free=1&search_trial=1&search_buy=1

Attached is a cookbook for installation and exchange of public keys.

Last, go through the box and rip out every network service you don't need. If you don't use BIND, don't have it on the box. etc

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com