If a public website’s web traffic (IIS, Apache, etc) gets processed by a server on your internal network then a hacked website could lead to instant total compromise of your company.
“... What happens if there is a remotely exploitable ... vulnerability in the ... presentation layer? ... If the WAF fails to catch the issue, you are toast. The hacker owns EVERYTHING. They are inside the network and able to do whatever they want....”
If your web traffic is processed in your DMZ a hacked website’s damage is usually limited in scope because the attacker now still has more work to do as they must figure out how to pivot from your DMZ into your actual internal network and hopefully you notice and fix it before that happens.
“...By layering you can limit damage and increase the chance of detecting a penetration. Firewall -> WAF -> Presentation/Logic -> Firewall -> Data, at a minimum...”
https://security.stackexchange.com/questions/166931/dmz-layer-for-web-server-presentation-layer/167193
No comments:
Post a Comment