Keeping Sensitive Data out of the DMZ with a Reverse Proxy
A DMZ (demilitarized zone) is a section of the network that is exposed to an untrusted network, usually the Internet. The purpose of a DMZ is to act as an extra layer of security between external hosts and internal hosts. For security purposes, hosts located in the DMZ may have limited or no access to hosts and services located on the internal network. Examples of hosts that may reside in the DMZ include mail servers, web servers, FTP servers and SFTP/SSH servers.
Trading partners regularly use the Internet to perform file transfers requiring that some file transfer services reside in the DMZ. The problem with this is that for various reasons the data to be transferred often does not or cannot reside in the DMZ. Two examples have been provided below which demonstrate the types of problems that can be experienced.
Trading Partner Examples
Host A connects to Host B running an FTP/S service in the DMZ. Host A wishes to download a file from Host B however the file does not reside on Host B, rather it resides on Host C which is located on a server on the internal network unaccessible to Host A. How does Host B get the file that resides on Host C to Host A?
Host A connects to Host B running an SFTP service in the DMZ. Host A wishes to upload a file to Host B however the organization for Host B has a policy that no files may physically reside in the DMZ. This is a common scenario for those organizations subject to government compliance requirements such as PCI that require no sensitive information (e.g. credit card data) be stored in the DMZ. How can this policy be enforced?
In order to solve the problem scenarios above one can use what is called DMZ streaming. DMZ streaming is a method of streaming data between the client, DMZ services and private internal networks while keeping the data from ever physically residing on DMZ servers.
What is a Reverse Proxy?
A common method of achieving DMZ streaming is through the use of a reverse proxy. A reverse proxy is a type of proxy server software that accepts incoming client connections and then connects to one or more (for reverse proxies that offer load balancing capabilities) destination server on behalf of the client.
The response from the destination server is then received by the reverse proxy and forwarded back to the client as though it came directly from the reverse proxy. This process is completely transparent to the client with all protocol translation and load balancing are handled by the reverse proxy.
How does a Reverse Proxy Work?
- Client establishes a connection to a file transfer service on the reverse proxy. An optional firewall in front of the DMZ may limit the services that the client can connect to and/or the IP addresses that client may connect from.
- Reverse proxy establishes a tunnel between the client, reverse proxy and file transfer service on the internal network. A firewall in front of the internal network is configured to allow connections to file transfer services on internal network from the reverse proxy.
- Client communicates seamlessly with file transfer services on the internal network via the tunnel established by the reverse proxy.
In this article I discussed DMZ streaming, reverse proxies and how these can be used to perform file transfers between DMZ hosts and hosts residing on an internal network. Using DMZ streaming in combination with MFT software can help users and organizations streamline file transfers while meeting compliance requirements such as HIPAA and PCI-DSS.
JSCAPE MFT Gateway is a load balancer and reverse proxy server that allows your trading partners to access your data without having to open ports on your internal network or store sensitive information in the DMZ. It currently comes with a fully-functional evaluation edition which you can download right now.