elemint@cox.net wrote:
> 
> What is the best way to update a web server securely in a DMZ?
> 
> I think this could be done throught iptables/host.allow/hosts.deny to only allow a particular host to talk to that webserver.
> 
> Does anyone have any insight on the best way to keep a webserver secure in a DMZ while still being able to easily update it?  Would a staging server running apache be good as the allowed host, so on this staging server it would be tested one last time and then sent on to the live server?
> 
> Would a recieve only cable be a good idea so the server on a seperate nic would have a cable where it could recieve only  recieve the updated files and then implement them?
> 
> Does anyone know a good place to buy or intructions on making a recieve only cable?
> 
> 
> 
> Jim
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


Hi Jim,

I'm cringing here.  If you have to come up with interesting and novel
solutions, the fundamental architecture is flawed.  I would start there,
fix the architecture.  Difficult solutions are usually less secure as it
is harder to find the flaws and the flaws are bigger.

The staging server is an excellent idea and in use in almost every major
company that deploys web content.  One note, however - don't allow your
staging server to be open to the Internet unless it is hardened and
protected like a prod server.  I know of several staging servers that
have development passwords because most of the staff doesn't knows it's
in the DMZ.  My staging server is not in the DMZ.  All testing is done
internally.  Any external agents that need to test do so via VPN.

If it must be open to the Internet, try a maintenance network.  A very
useful method used to update DMZ content is via a maintenance network
which uses a different IP range and a different NIC on the server:

INTERNET---FW--+----------+--FW---OTHER LAN
               |          |
             SERVER    SERVER
               |          |
               +----------+--FW---MAINT LAN

Set up netfilter/netacls to limit traffic, drop stupid traffic, keep the
traffic separated, no forwarding, etc.  Configure SSH to listen on the
maintenance network only.  Updates will be a piece of cake though the
maintenance network.

Cheers,

George Toft
Computer Security
AGD,llc
www.agdllc.com
623-203-1760