security of internally hosted web server

[Wizzer]

Following on from the post by beeswax...

I wish to host internally a server running moodle. I've no problem getting LAMP and Moodle installed and working (already have a windows box running Moodle and LAMP box on which I'm playing with Typo3 for our web site).

My query is over the security of making a LAMP box visible from outside whilst still allowing the web server to see our AD for authentication.

I know it's technically possible and was all up for doing it today whilst our tech support company was in on their contracted day, but they put some doubts into my mind.

My understanding is that if the server is connected to the DMZ and the (hardware) firewall is configured correctly nothing should be able to get through to main part of the network and only allowed traffic (port 80) will get to the web server.

Techie chap's persuasion was that if someone managed to get control of the LAMP machine they may be able to get into the network.

Now, the big problem is that this stuff is beyond my knowledge and I can't speak authoritatively about it AND tech support company don't suport Linux (or even Apache on any platform). So they are likely to try and convince me it can't be done easily or securely.

[webman]

This thread might be of interest to you.

[DMcCoy]

Surely this will all depend on how it binds to the directory? I have set up stunnel to encrypt my ldap queries and send them over ssl instead to the DC (at least I think its working). Also done the same for the pop3 account on the helpdesk server.

[Wizzer]

This thread might be of interest to you.

Thanks, that was thread I was refering to at the start. The difference here though is that I need the web server some access through to AD.

If nothing was allowed to get from web server in, then I would have no worries doing it.

I'll look into SSL method, any other ideas.

[DMcCoy]

Oh, I also force ssl on most web applications now, due to the AD links, I don't want any passwords moving around in clear text

[CyberNerd]

My understanding is that if the server is connected to the DMZ and the (hardware) firewall is configured correctly nothing should be able to get through to main part of the network and only allowed traffic (port 80) will get to the web server.

Yes, you can allow the LDAP query through the firewall though by port forwarding 389 to the DC, the firewall config should allow you to make sure only the LAMP server is connecting. You'd have to do the same thing if you were running windows in the DMZ.

Techie chap's persuasion was that if someone managed to get control of the LAMP machine they may be able to get into the network.

Same argument will IIS

[sahmeepee]

If someone does take control of your LAMP box, they could (in theory) be able to collect the passwords that are passed into the application despite any SSL encryption.

Assuming they can only hit the web server's external-facing port 80, they would probably have to know an exploit in either Apache or the Moodle application code. That would probably get them access on a fairly limited account, but one which has access to the passwords after they leave the protection of SSL and before Moodle sends them through the internal firewall to AD (securely or not).

That said, if you keep Apache and Moodle fully patched and up-to-date you are doing about as much as you can.

[Geoff]

You could use the same technique as our RBC. Have your web server on your LAN and have a reverse proxy in your DMZ. That way only port 80 access is required but you still get the seperation you require.