Back-End Servers

A back-end server can be thought of as a server that is required for the Internet service to operate, but does not need to be public-facing or have a publicly accessible IP address. An example of this is a database server and is shown in Figure 11-3.

These servers have to be able to communicate with the public-facing servers to fulfill the requests sent to them.

In Figure 11-3, you can see that the Web server for Mydomain.com is serving Web files for www.mydomain.com. The Web server runs a stock lookup database that is linked to a back-end SQL database running on a server in the same Layer 3 domain as the Web server. NAT is used to statically translate the Web server's private IP address of 192.168.1.10 to the public IP address of 194.73.134.10. Therefore, Internet hosts access www.mydomain.com and DNS resolves this to 194.73.134.10. The Mydomain.com firewall handles this request and statically translates it inbound to 192.168.1.10. The SQL server has a private IP address of 192.168.1.20. There is no static translation for this server, so in theory, it cannot be accessed from the outside.

Back-end servers can be any combination of the following:

  • Database servers

  • E-commerce servers

  • Content servers

  • Application servers

  • Authentication servers

  • Communications servers

There are numerous other servers that could fall into the category of back-end servers.

Threats Posed to Back-End Servers

Back-end servers should not be accessible to the public Internet unless required. If a back-end server is connected to the public Internet, it opens up all of the vulnerabilities associated with the operating system and also with the application.

Solutions to the Threats to Back-End Servers

The easiest way to remove the threats associated with back-end servers is to place them on a private network behind a firewall and not to provide a static translation between the private address and public address.

If the back-end server does need to be publicly visible, it should be placed behind a firewall and access should only be allowed to the specific ports that are required. This restricts the risks associated with allowing the back-end server to be accessed over the Internet.

In addition, the latest service and security patches should be applied to the application to ensure that there are no backdoor vulnerabilities that can be exposed.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.237.31