Would this setup provide adequate security? Announcing the arrival of Valued Associate #679:...
Compare a given version number in the form major.minor.build.patch and see if one is less than the other
Wu formula for manifolds with boundary
First console to have temporary backward compatibility
2001: A Space Odyssey's use of the song "Daisy Bell" (Bicycle Built for Two); life imitates art or vice-versa?
Amount of permutations on an NxNxN Rubik's Cube
What does "lightly crushed" mean for cardamon pods?
What does this Jacques Hadamard quote mean?
Circuit to "zoom in" on mV fluctuations of a DC signal?
If my PI received research grants from a company to be able to pay my postdoc salary, did I have a potential conflict interest too?
Why are there no cargo aircraft with "flying wing" design?
What is the meaning of the simile “quick as silk”?
Is it a good idea to use CNN to classify 1D signal?
Significance of Cersei's obsession with elephants?
Around usage results
Did MS DOS itself ever use blinking text?
Why are the trig functions versine, haversine, exsecant, etc, rarely used in modern mathematics?
How could we fake a moon landing now?
Is there a kind of relay only consumes power when switching?
How to tell that you are a giant?
Using audio cues to encourage good posture
Using et al. for a last / senior author rather than for a first author
Can you use the Shield Master feat to shove someone before you make an attack by using a Readied action?
Withdrew £2800, but only £2000 shows as withdrawn on online banking; what are my obligations?
Does classifying an integer as a discrete log require it be part of a multiplicative group?
Would this setup provide adequate security?
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!IMAP over SSL - Exchange 2003 ConfigurationHow to inspect remote SMTP server's TLS certificate?Why should I firewall servers?How do I deal with a compromised server?Our security auditor is an idiot. How do I give him the information he wants?Security Certificate ExceptionGiven an Amazon Web Service Security Group, how can I find out what the IP's are?How Do I Defend WebEx Security?Debugging curl FTPS connection, using Client Authentication certificates (OpenSSL)ProFTPD: The meaning of the “TLS Verify Client” and “NoCertRequest” in the TLS configuration
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
In the following scenario, I'm looking to see if I can provide adequate security as is or if there would be any tangible benefit to re-architecting things (like changing it so that the service in question would be in a DMZ, or something like that). Assume that the data I'm trying to protect is highly sensitive and it would be a major headline if it got exposed.
- On a server that has access to the internal network (because we also need to access a database or other internal services), there will be a gRPC service that listens on a specific TCP port.
- I know in advance that I only want a client from a single known, trusted IP to connect in, so we'll create a rule in the external firewall to allow incoming TCP connections from that single IP to the IP endpoint of the gRPC service.
- For encryption and authentication, we'll also be doing TLS 1.2 mutual authentication on the gRPC service.
As far as what I've been able to think of, this should be more than acceptable because the only way to be able to connect in on that port would be to either legitimately have that IP (and it's a static IP where we trust the entity that the IP has been assigned to) or to spoof it, and a potential attacker would have to know that you would have to spoof that specific IP, which seems very unlikely without insider information (and even then, you'd only be able to send in packets trying to damage things and wouldn't get responses back because they'd route to the real IP, right?). Assuming that a malicious actor were to gain control of that IP, they'd still have to have the appropriate certificate to get through the TLS piece, know the type of protocol that they're trying to exploit, potentially need application-layer credentials, etc. I only see this as a likelihood if the actual client machine that I expect to connect in gets compromised; as far as I know, it has good physical/network security around it, so I think this should be very improbable.
Additionally, what about if I didn't firewall it at all? Would the security level still be acceptably high since you'd have to either have a legitimate certificate signed by the same CA as the server's certificate, or have an exploit up your sleeve in order to get past the TLS authentication? I'd firewall it either way since there really is just a single client I want connecting in, but I'm also curious about this.
Are there other issues that I'm not thinking about, or any other good reasons that should lead me to abandon this sort of setup as insecure? Thanks in advance.
security ssl firewall dmz
asked 3 mins ago
KdawgKdawg
101
New contributor
Kdawg is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
In the following scenario, I'm looking to see if I can provide adequate security as is or if there would be any tangible benefit to re-architecting things (like changing it so that the service in question would be in a DMZ, or something like that). Assume that the data I'm trying to protect is highly sensitive and it would be a major headline if it got exposed.
- On a server that has access to the internal network (because we also need to access a database or other internal services), there will be a gRPC service that listens on a specific TCP port.
- I know in advance that I only want a client from a single known, trusted IP to connect in, so we'll create a rule in the external firewall to allow incoming TCP connections from that single IP to the IP endpoint of the gRPC service.
- For encryption and authentication, we'll also be doing TLS 1.2 mutual authentication on the gRPC service.
As far as what I've been able to think of, this should be more than acceptable because the only way to be able to connect in on that port would be to either legitimately have that IP (and it's a static IP where we trust the entity that the IP has been assigned to) or to spoof it, and a potential attacker would have to know that you would have to spoof that specific IP, which seems very unlikely without insider information (and even then, you'd only be able to send in packets trying to damage things and wouldn't get responses back because they'd route to the real IP, right?). Assuming that a malicious actor were to gain control of that IP, they'd still have to have the appropriate certificate to get through the TLS piece, know the type of protocol that they're trying to exploit, potentially need application-layer credentials, etc. I only see this as a likelihood if the actual client machine that I expect to connect in gets compromised; as far as I know, it has good physical/network security around it, so I think this should be very improbable.
Additionally, what about if I didn't firewall it at all? Would the security level still be acceptably high since you'd have to either have a legitimate certificate signed by the same CA as the server's certificate, or have an exploit up your sleeve in order to get past the TLS authentication? I'd firewall it either way since there really is just a single client I want connecting in, but I'm also curious about this.
Are there other issues that I'm not thinking about, or any other good reasons that should lead me to abandon this sort of setup as insecure? Thanks in advance.
security ssl firewall dmz
asked 3 mins ago
KdawgKdawg
101
New contributor
Kdawg is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
In the following scenario, I'm looking to see if I can provide adequate security as is or if there would be any tangible benefit to re-architecting things (like changing it so that the service in question would be in a DMZ, or something like that). Assume that the data I'm trying to protect is highly sensitive and it would be a major headline if it got exposed.
- On a server that has access to the internal network (because we also need to access a database or other internal services), there will be a gRPC service that listens on a specific TCP port.
- I know in advance that I only want a client from a single known, trusted IP to connect in, so we'll create a rule in the external firewall to allow incoming TCP connections from that single IP to the IP endpoint of the gRPC service.
- For encryption and authentication, we'll also be doing TLS 1.2 mutual authentication on the gRPC service.
As far as what I've been able to think of, this should be more than acceptable because the only way to be able to connect in on that port would be to either legitimately have that IP (and it's a static IP where we trust the entity that the IP has been assigned to) or to spoof it, and a potential attacker would have to know that you would have to spoof that specific IP, which seems very unlikely without insider information (and even then, you'd only be able to send in packets trying to damage things and wouldn't get responses back because they'd route to the real IP, right?). Assuming that a malicious actor were to gain control of that IP, they'd still have to have the appropriate certificate to get through the TLS piece, know the type of protocol that they're trying to exploit, potentially need application-layer credentials, etc. I only see this as a likelihood if the actual client machine that I expect to connect in gets compromised; as far as I know, it has good physical/network security around it, so I think this should be very improbable.
Additionally, what about if I didn't firewall it at all? Would the security level still be acceptably high since you'd have to either have a legitimate certificate signed by the same CA as the server's certificate, or have an exploit up your sleeve in order to get past the TLS authentication? I'd firewall it either way since there really is just a single client I want connecting in, but I'm also curious about this.
Are there other issues that I'm not thinking about, or any other good reasons that should lead me to abandon this sort of setup as insecure? Thanks in advance.
security ssl firewall dmz
asked 3 mins ago
KdawgKdawg
101
New contributor
Kdawg is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
In the following scenario, I'm looking to see if I can provide adequate security as is or if there would be any tangible benefit to re-architecting things (like changing it so that the service in question would be in a DMZ, or something like that). Assume that the data I'm trying to protect is highly sensitive and it would be a major headline if it got exposed.
- On a server that has access to the internal network (because we also need to access a database or other internal services), there will be a gRPC service that listens on a specific TCP port.
- I know in advance that I only want a client from a single known, trusted IP to connect in, so we'll create a rule in the external firewall to allow incoming TCP connections from that single IP to the IP endpoint of the gRPC service.
- For encryption and authentication, we'll also be doing TLS 1.2 mutual authentication on the gRPC service.
As far as what I've been able to think of, this should be more than acceptable because the only way to be able to connect in on that port would be to either legitimately have that IP (and it's a static IP where we trust the entity that the IP has been assigned to) or to spoof it, and a potential attacker would have to know that you would have to spoof that specific IP, which seems very unlikely without insider information (and even then, you'd only be able to send in packets trying to damage things and wouldn't get responses back because they'd route to the real IP, right?). Assuming that a malicious actor were to gain control of that IP, they'd still have to have the appropriate certificate to get through the TLS piece, know the type of protocol that they're trying to exploit, potentially need application-layer credentials, etc. I only see this as a likelihood if the actual client machine that I expect to connect in gets compromised; as far as I know, it has good physical/network security around it, so I think this should be very improbable.
Additionally, what about if I didn't firewall it at all? Would the security level still be acceptably high since you'd have to either have a legitimate certificate signed by the same CA as the server's certificate, or have an exploit up your sleeve in order to get past the TLS authentication? I'd firewall it either way since there really is just a single client I want connecting in, but I'm also curious about this.
Are there other issues that I'm not thinking about, or any other good reasons that should lead me to abandon this sort of setup as insecure? Thanks in advance.
security ssl firewall dmz
security ssl firewall dmz
asked 3 mins ago
KdawgKdawg
101
New contributor
Kdawg is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 mins ago
KdawgKdawg
101
New contributor
Kdawg is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 mins ago
KdawgKdawg
101
New contributor
Kdawg is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 mins ago
KdawgKdawg
101
asked 3 mins ago
KdawgKdawg
101
101
New contributor
Kdawg is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Kdawg is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Kdawg is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Kdawg is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963572%2fwould-this-setup-provide-adequate-security%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Kdawg is a new contributor. Be nice, and check out our Code of Conduct.
Kdawg is a new contributor. Be nice, and check out our Code of Conduct.
Kdawg is a new contributor. Be nice, and check out our Code of Conduct.
Kdawg is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963572%2fwould-this-setup-provide-adequate-security%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
