http://www.perlmonks.org?node_id=467687

xorl has asked for the wisdom of the Perl Monks concerning the following question:

We have our webserver outside of our firewall in some kind of DMZ. Our employee database is inside the firewall (it's a Win2k server and we're using Active Directory). Now what I want to do is write a script on the webserver that does a bunch of stuff to one of the web databases after it figures out that a user is valid employee. I (and the PHB's) want to do this without punching a hole in the firewall.

Yeah sounds impossible I know. We have an Intranet server which is inside the firewall. It can easily access the employee database.

What I was thinking was to have the users go to the Intranet server, be validated, fill out the info on the form, then submit the form. The form would actually be submitted to the webserver.

Problem with this is how do I make sure what is submitted is actually from the Intranet server. I thought about checking the referrer, but I've written some scripts that send fake referrers. So far I'm thinking the best thing is to have the form send some kind of token. Or maybe I could force everyone to have an IP address in the 10.xx.xx.xx range (that isn't spoofable is it?? What if I want them to be able to do this from home and not on our network?)

From the comment Re: Referer check within domain problem it sounds like a completely different solution is needed. Yet there is no alternative offered.

The project is still at the idea stage, so almost anything can be changed. The only requirements are:

Any help would be appreciated. Thanks.

  • Comment on verify form submission is from a specific place

Replies are listed 'Best First'.
Re: verify form submission is from a specific place
by ww (Archbishop) on Jun 17, 2005 at 13:40 UTC

    The notion of forcing (internal) users to submit via the Intranet server seems pretty sound, but the notion of letting employees work from outside is less so... even if you do VPN or something similar.

    re your (IP) isn't spoofable is it??: If not today, wait a few seconds. I wouldn't want to bet against it being an easy do today. cf annonymiser, etc. which appear readily adaptable.

    and re What if I want them to be able to do this from home and not on our network?: In the famous words of the (allegedly) prototypical New Yawker, "fergeddiboudit!" For one thing, one frequently high priority consideration for running an intranet is SPECIFICALLY that you don't want a user from outside your firewall playing inside your (proprietary) workspace -- to which I'd add "even if you THINK you know who it is."

    On the other hand, your outside server (RH) uses a fairly sound encryption scheme to validate those with accounts; one would think you might be able to avoid posting a (generic meaning) database to validate those authorized to change content. But on the third or fourth or fifth hand, what is the PHB's level of risk tolerance?

    UPDATE But, see Tank's (++) below!
      I was afraid someone was going to say that. We already have people out in the field who connect via VPN and can then go crazy on our internal network. Of course not all of them are authorized for VPN. For these people, they are limited to doing some very simple tasks on the webserver with a webform.
Re: verify form submission is from a specific place
by gawatkins (Monsignor) on Jun 17, 2005 at 13:55 UTC
    xorl,

    First of, are their any ports currently open, possibly TCP 80 and/or TCP 443? If they are open you could use LWP::Useragent to access a page on your intranet server. The page on the intranet server would handle the AD testing and return a yes/no answer. You could then parse the output on the DMZ server for confirmation.

    If there are not any ports open, you could set up a host to host rule on the firewall (Even though you said you wanted to avoid this), where inbound traffic is only permitted from the DMZ server address to the intranet server address. A rule like this is safer than just opening up the port to any internet host.

    Hope this helps.
    Greg W
      No you currently cannot have the webserver request a page from the intranet server. I did suggest something like this. I wasn't shot down exactly, but was told they wanted other options.
        xorl,

        I don't really see much of a way solution, considering your current level of resources. As a very last possible resort you could have the DMZ server email the requests to an account on the Intranet server for processing (which is a whole different security concern), then the intranet server could post the results to a form on the DMZ server. This would REALLY slow the process down, but I believe it to be at least an option if there are not any others.

        Thanks,
        Greg W.
Re: verify form submission is from a specific place
by Tanktalus (Canon) on Jun 17, 2005 at 16:39 UTC

    You may want to talk to IT from other companies to see what they do - I expect that allowing the webserver to access something inside the firewall is precisely how it happens. Through a VPN tunnel, or via very strict firewalls that only allow the one static IP address through, or by using a second network card that connects to the other side of the firewall, and using strict iptables to limit what can go through each network card. For example, on eth1, only transmissions to port xyz on machine a.b.c.d are allowed. This can severely limit the exposure should the DMZ box be rooted.

Re: verify form submission is from a specific place
by omega_monk (Scribe) on Jun 17, 2005 at 16:32 UTC
         <snip>What I was thinking was to have the users go to the Intranet server, be validated, fill out the info on the form, then submit the form. The form would actually be submitted to the webserver.</snip>

    Trying to clarify. The webserver contains no validataion data just the data(base(s)) that need to be operated on if the user is validated via the intranet server, which accesses the employee database. That being stated, maybe a different perspective would help...

    • How do employees access the external webserver that you are trying to use?
    • Can you mirror the external server on an intranet server?
    • Can you mirror the employee database on the webserver(watch this with sensitive data, maybe what is needed for authentication)?

    Just trying to provoke some thought that may help...