Isolation between FrontEnd and BackEnd (Security)

Topics: General
Aug 9, 2011 at 8:50 PM

We have a customer asking us to have a FrontEnd in their DMZ network and isolate the BackEnd functionality behind a firewall to only have access thru its internal network. Any ideas about different options to do this? thanks.

Coordinator
Aug 10, 2011 at 10:47 AM

Requests from your internal network will have some specific IP range, you can filter all requests to "/Composite" folder by that IP range

You can do this f.e. by writing an httpModule and putting it in to /web.config.

Inspired by this link http://www.codeproject.com/KB/aspnet/http-module-ip-security.aspx I've written an example

 

Class in App_Code:

 

public class SecurityHttpModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.BeginRequest += Application_BeginRequest;
    }

    private void Application_BeginRequest(object source, EventArgs e)
    {
        HttpContext context = ((HttpApplication)source).Context;

        if (!context.Request.RawUrl.StartsWith(Composite.Core.WebClient.UrlUtils.AdminRootPath, true))
        {
            return;
        }

        string ipAddress = context.Request.UserHostAddress;
        if (!IsValidIpAddress(ipAddress))
        {
            context.Response.StatusCode = 403;  // (Forbidden)
        }
    }

    private static bool IsValidIpAddress(string ipAddress)
    {
        return ipAddress.StartsWith("192.168.") || (ipAddress == "127.0.0.1");
    }

    public void Dispose() { }
}

In web.config:

<configuration>
  ...
  <system.webServer>
    ....
     <modules>
      ....

           <add name="AdministrationSecurity" type="SecurityHttpModule,    App_Code"/>
      </modules>
     </system.webServer>
</configuration>