EzDevInfo.com

dmz interview questions

Top dmz frequently asked interview questions

What is DMZ in networking?

I have to configure a Java application which is hosted in side a corporate network. So what is DMZ and how to get through to expose the services?


Source: (StackOverflow)

What's the most secure way to connect to Active Directory from a DMZ?

I got a web DMZ server, that hosts an "Extranet" ASP.NET application. I want that users should authenticate to this application using the same user and password that they use on their Windows at work. (we are using Active Directory)

I want to know what the best way is -the most secure way - to connect from the DMZ web server to the Active Directory.

For now I saw two possibilities:
- RODC
- LDAP Over SSL (LDAPS)

Are there any other option you recommend? What other options should I consider? Any limitation, or potential problems with any of those solution?


Source: (StackOverflow)

Advertisements

Access LAN files from DMZ

We have an application that stores files on a file server in our LAN. Now, they want a web application to make the files available on our public web server (in the DMZ). What's the best method for accessing those files from the web application?

The options I've considered are:

  1. FTP from the DMZ to the LAN server. (cheapest and easiest)
  2. A second file server in the DMZ and the files are pushed to it from the LAN. (Better performance and security, but also more money)

Source: (StackOverflow)

WCF service with netTCPbinding and DMZ clients

We have a WCF service with netTCPBinding hosted in a windows service, this service connects to ContentManager server to upload documents and add some metadata, retrieve the documentID and passes it to a .Net Application, the clients are authenticated using windows authentiation. We wrote a WCF client library to be used as a proxy by other line of business applications which wants to upload documents by just referencing this dll. All this works fine as long as the client apps are within the intranet domain.

Now there is a requirement to use this service by an web app accessed via mobile phones, the mobile application accesses a legacy asmx webservice which references the proxy to connect to the WCF service which in turn talks to another backend wcf service and uploads to content manager, the asmx webservice is hosted in servers outside of current domain in DMZ and there is no trust between the corporate domain and DMZ, we opened the necessary ports on both the servers, but since the client credentialtype is windows, it throws "The remote server did not satisfy the mutual authentication requirement." which is expected. Now we want to use the nettcpbinding for obvious reasons of performance since documents are scanned and sent via mobilephones from remote locations, and also with very little time rewriting this is not an option. In the articles i read and the discussions here most of them suggest against using netTCPBinding for this scenario, and a few tried and implemented this using certficates,

my questions are

  1. For the scenarios i mentioned above does using Certficates to autheticate clients the right approach?
  2. How should i handle security, right now declarative impersonation is used on almost all operations, if i have to change security how can i do it without impacting other applications using the service.

I have not worked on certficates before so a guidance with respect to the scenario will also be of great help.


Source: (StackOverflow)

Error 691 VPN Windows Server 2011 SBS

Our Network is build on a ESXi 5 which is connected on the second NIC with an IPCop. On the first NIC it is connected through a switch with all my clients.

On the ESXi i have a Windows Server SBS 2011 Standard with 2 NIC's. One for my private network and the other to get connected to the internet.

I've managed to get this working with RRAS but somehow i cant connect through VPN to my server. I allways get the 691 Error. I use PPTP as protocoll and i'm forwarding the needed ports... I even disabled the windows firewall for testing.

The error is telling me to check if i typed in the correct username or password or the RAS server may not allow the authenticationprotocoll... But in my RAS Settings i activated the pptp port for ras and routing.

Any help on this ?


Source: (StackOverflow)

Best practice for exposing internal data to outside world?

Our current setup for exposing internal data to the outside world is to have an Internet server in our DMZ with access to our database server that resides within our protected network. But I've been told this is not secure as exposes potentially all databases to the outside world. Is this true?

Current way

They say we should instead but an additional layer between the two.. an application server that exposes methods via, e.g. Web API, to the Internet site. This way, only web methods are potentially exposed and not the entire database server.

Is this more "proper/ideal/best practice" architecture? I want things as SIMPLE as possible but then also need to keep our data SECURE. If we want to expose methods to the outside world, then an outside app would (securely of course) call the web method which would, in-turn, call the same web method on the application server. Seems like a lot of duplication but maybe necessary in today's unsafe world?

Better way?

Thanks for any advice.


Source: (StackOverflow)

What is the recommended way to do WCF username/password authentication in DMZ

I am looking to host a WCF service accessible to a limited set of clients over the internet, as described here:

Best way to secure a WCF service on the internet with few clients

I intend to use Username/Password auth (using existing membership infrastructure) at this stage, with transport security (i.e. SSL).

I'm wondering what the recommended approach would be to processing the authentication request, when the membership database is obviously internal to the corporate network.

Options I'm considering are:

  • the public firewall would do SSL offload, and then the DMZ server would reverse proxy the request to the internal WCF server - I'm assuming credentials would be retained and passed through with this method, and the internal service could appropriately make use of the Membership provider to authenticate the user.
  • Write a dumb WCF service to sit externally which will make use of custom username/password authentication. This will call an Authentication Service internal to the network with access to membership details. Once the credentials are validated the call will then basically be passed through to the internal service that implements the required functionality.

Are both of these options possible? Are there any major pros/cons with either of them? (obviously reverse proxy is a lot less code...)


Source: (StackOverflow)

Provide access to a development web server running on laptop connected via iOS Personal Hotspot

I'm developing a web service that needs to connect to another web service and register a web service endpoint that notifications can be sent to.

e.g. Server A sends a registration request to Server B, containing the URL on which notifications will be sent (HTTP PUT).

If Server A (the development server) was on a public IP, all would be well, but at the moment its on my development laptop which is connected to the internet via a Wifi router which connects to Personal Hotspot on my iPhone. This is actually the most useful internet connection I have available most of the time. Neither the router nor Personal Hotspot (AFAIK) allow port forwarding or DMZ.

For development purposes I would like the notifications to come through to the service under development on my laptop. I can specify a static IP address when registering with the third-party web service, and a specific port number if needed.

My only thought was to use a VPN connection from the laptop to the internet, therefore masking the existence of the inbound route.

The VPN would therefore need to allow inbound packets through to the server. I've looked at the VPN service by VPNUK.info who I currently use, and they have both a dynamic IP and static IP version of their product, and the static version seems to suggest that inbound is possible.

Can anyone suggest how or if this would work? Any specific setup instructions? I presume once the VPN is established, and requests to the VPN Static IP address will be handled by the server on the development laptop (which is the device starting the VPN connection).

The development laptop is a Macbook running OS X Yosemite. The web server is built using Node.js and Express.


Source: (StackOverflow)

How to query a CRM 2011 Filtered View from a site on our DMZ?

We have a public facing website that is querying our CRM 2011 database using the Filtered Views to display some information to our customers. We accomplished this by Impersonating a CRM/domain user we created for this purpose. We are moving the website from a server on our domain to a server in our DMZ that is not on our domain.

The problem is that now we cannot authenticate the CRM user from the server on the DMZ.

Is there some way around this?


Source: (StackOverflow)

ISAPI Filter LDAP Authentication Error on DMZ Server

I am writing an ISAPI filter for a web server that we have running in a DMZ. This ISAPI filter needs to connect to our internal domain controllers to authenticate against Active Directory. There is a rule in the firewall to allow traffic from the DMZ server to our domain controller on port 636 and the firewall shows that the traffic is passing through just fine. The problem lies in the ldap_connect() function. I am getting an error 0x51 Server Down when attempting to establish the connection. We use the domain controllers IP address instead of the DNS name since the web server's outside the domain.

ISAPI LDAP connection code:

// Set search criteria
strcpy(search, "(sAMAccountName=");
strcat(search, username);
strcat(search, ")");

// Set timeout
time.tv_sec = 30;
time.tv_usec = 30;

// Setup user authentication
AuthId.User = (unsigned char *) username;
AuthId.UserLength = strlen(username);
AuthId.Password = (unsigned char *) password;
AuthId.PasswordLength = strlen(password);
AuthId.Domain = (unsigned char *) domain;
AuthId.DomainLength = strlen(domain);
AuthId.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;

// Initialize LDAP connection
ldap = ldap_sslinit(servers, LDAP_SSL_PORT, 1);

if (ldap != NULL)
{
    // Set LDAP options
    ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, (void *) &version);
    ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_ON);

    // Make the connection
    //
    // FAILS HERE!
    //
    ldap_response = ldap_connect(ldap, &time);

    if (ldap_response == LDAP_SUCCESS)
    {
        // Bind to LDAP connection
        ldap_response = ldap_bind_s(ldap, (PCHAR) AuthId.User, (PCHAR) &AuthId, LDAP_AUTH_NTLM);
    }
}

// Unbind LDAP connection if LDAP is established
if (ldap != NULL)
    ldap_unbind(ldap);

// Return string
return valid_user;

servers = <DC IP Address>

I have tested this code on my local machine that is within the same domain as AD, and it works, both LDAP and LDAP over SSL. We have a server certificate installed on our domain controller from the Active Directory Enrollment Policy but I read elsewhere that I might need to install a client certificate as well (for our web server). Is this true?

Also, we have a separate wordpress site running on the same DMZ web server that connects to LDAP over SSL just fine. It uses OpenLDAP through PHP to connect and uses the IP address of our domain controllers to connect. We have an ldap.conf file that with a line of code: TLS_REQCERT never. Is there a way to mimic this effect in Visual C with what I'm trying to do for the ISAPI filter? Hoping this is a programming issue more than a certificate issue. If this is out of the realm of programming, please let me know or redirect me to a better place to post this.

Thanks!


Source: (StackOverflow)

Is there any difference to access SQL Server and SQL Server instance from an Application server that is in DMZ

I am new to workflow stake and don't have good knowledge in networking. Can someone please tell me if I have an application server in DMZ which connects to SQL server instance which is not in DMZ, Is there any difference if i connect to SQL server or SQL Server instance. I am able to make connection to the SQL Server but once i try to try the instance it won't find the instance. I.e. Can connect to sqlservername but not to sqlservername\instanename the error i am getting is the SQL Server instance can't be found. the instance is setup to allow remote connection. Hope my question make sense. Regards


Source: (StackOverflow)

How to use a jumphost/jump server in a script

I need to write a script to be able to run cmds on our test servers in our secure, off-site lab. The problem is these test servers are behind a jump server/jump host. Manually, I either type:

bash$ ssh -A jumphost
jumphost$ ssh server1

or I edited my personal .ssh/config file to use the jump host

ForwardAgent yes
Host server1
ProxyCommand ssh -q jumphost nc <ip of server1> 22

to access them. How do I do this inside my script so that ssh doesn't stop/terminate at ssh -A jumphost?

I tried to run

ssh jumphost nc <ip of server1> 22 "ls /tmp"

or

ssh jumphost nc <ip of server1> 22

or

ssh -A jumphost nc <ip> 22

but it complains of a protocol mismatch. I don't control the jump host so I can't just leave scripts/programs at a common place for people to use. I also don't think IT will make a jump host for us to use exclusively.

Is there a way for me to run scripts thru a jump host? Thanks in advance for your help. If there isn't a way, I'll just tell IT they need to allow me to copy my scripts to the jump host b/c the experts on stackoverflow said it needed to be done =)


Source: (StackOverflow)

ASP web reference intermittently throwing 'an existing connection was forcibly closed by the remote host' exception

I have a ASP.NET (VB.NET) web application (targeting .NET 4 Framework) which throws an exception intermittently when trying to invoke a web method via web reference. The web reference is the old school ASP.NET web services with the .asmx file extension.

The main web application and the web service are both on IIS 7.5 / Windows 2008 SP1. In IIS both apps are on the same website but in different application pools.

The exception states "An existing connection was forcibly closed by the remote host". This error is strange because it doesn't throw the exception the first several times when the web method is called. But when the error is thrown, it will then continue to be thrown on every following instance. Restarting the app pool in IIS fixes the error.

The data being transmitted is minimal so I don't think it is related the size of the data.

Recently we installed an F5 device that acts as a reverse proxy. The web service is now running behind this device. We did this in order to move the application to a DMZ (Demilitarized Zone). This could be the cause to this issue but if it is I am unsure how to properly configure it.

Here is my code:

_webService = New BWebService.BWebService()
_webService.Url = EnvironmentSettingsLocator.Settings.BWebServiceWsdl
If Not _webService.IsExistingUser(userId) Then 
' Do Something
end if

Here is the exception:

The underlying connection was closed: An unexpected error occurred on a receive.

    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Apex3Web.BIRVWebService.BIRVWebService.IsExistingUser(Int32 userCode) in C:\Users\Ryan.DeFour.ctr\Documents\Work\TFS Source Code 2010\APEX4CMMI\APEXDevelopment\Apex3Web\Apex3Web\Web References\BIRVWebService\Reference.vb:line 501
   at Apex3Web.ManageExaminee.GridViewExaminees_RowDataBound(Object sender, GridViewRowEventArgs e) in C:\Users\Ryan.DeFour.ctr\Documents\Work\TFS Source Code 2010\APEX4CMMI\APEXDevelopment\Apex3Web\Apex3Web\Forms\Examiner\ManageExaminee.aspx.vb:line 651
   at System.Web.UI.WebControls.GridView.OnRowDataBound(GridViewRowEventArgs e)
   at System.Web.UI.WebControls.GridView.CreateRow(Int32 rowIndex, Int32 dataSourceIndex, DataControlRowType rowType, DataControlRowState rowState, Boolean dataBind, Object dataItem, DataControlField[] fields, TableRowCollection rows, PagedDataSource pagedDataSource)
   at System.Web.UI.WebControls.GridView.CreateChildControls(IEnumerable dataSource, Boolean dataBinding)
   at System.Web.UI.WebControls.CompositeDataBoundControl.PerformDataBinding(IEnumerable data)
   at System.Web.UI.WebControls.GridView.PerformDataBinding(IEnumerable data)
   at System.Web.UI.WebControls.DataBoundControl.OnDataSourceViewSelectCallback(IEnumerable data)
   at System.Web.UI.DataSourceView.Select(DataSourceSelectArguments arguments, DataSourceViewSelectCallback callback)
   at System.Web.UI.WebControls.DataBoundControl.PerformSelect()
   at System.Web.UI.WebControls.BaseDataBoundControl.DataBind()
   at System.Web.UI.WebControls.GridView.DataBind()
   at Apex3Web.ManageExaminee.FindCommand_Click(Object sender, EventArgs e) in C:\Users\Ryan.DeFour.ctr\Documents\Work\TFS Source Code 2010\APEX4CMMI\APEXDevelopment\Apex3Web\Apex3Web\Forms\Examiner\ManageExaminee.aspx.vb:line 539
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

    at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
   at System.Net.Security._SslStream.StartFrameHeader(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security._SslStream.StartReading(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security._SslStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.TlsStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)

An existing connection was forcibly closed by the remote host

at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)

Source: (StackOverflow)

Connection issue with Database

Hi I am running a program to connect to database sql server 2000 from dmz zone ... but am unable to connect

I am getting below error

java.sql.SQLException: [Microsoft][SQLServer 2000 Driver for JDBC]The requested instance is either invalid or not running.

The ports are open from the dmz zone as teted from telnet command .. and the code works fine locally but nott from dmz server ... what could be the issue.


Source: (StackOverflow)

How to export files from a dmz servers

I want to export files (using NFS) from dmz servers. Output of showmount command is fine on the same server. But it gives an error on other server connected in the network.

error is "

clnt_create: RPC: Unknown Host

" NOTE: I can do ssh connection to dmz server.


Source: (StackOverflow)