Journal Xerithane's Journal: Code: DMZ.. whats that? 6
So, I'm on a new project now. After the surreal ass mangler that was my last one, this one could have been clamping my nuts in a vice while sticking lemons in my eyes and I would have been happy. Turns out, my new project is actually fun. This is one of those moments where I really love my job. I get to write some really cool shit, but only sometimes. The rest of the time I'm coding an application where the tedium is only matched by listening to an Al Gore speech.
At my work we have two networks, as most companies do. The DMZ, and the internal network. The DMZ is publicly accessible and has fun IP addresses that the world can see. The internal network has those secret IP addresses that start with the notorious 10.1 octets. Somehow, somewhere, some people got together and decided that data from a 10.1 box needs to go to a DMZ box. For whatever reasons, this is necessary. This presents a whole slew of issues because the DMZ boxes cannot, under any circumstances, talk to the internal boxes. Even if it says please.
After a slew of design meetings including such gems as mirroring the entire fucking database in the DMZ, I come up with the idea of a web-request relay system. The only thing in the DMZ is the web-front end. So, lets throw that in the internal segment, have a service in the internal segment connect to the DMZ and process requests coming in. With encryption, it's pretty secure and satisfies the existing security policies. Yay for me. I'm all elite and guru. Yeah.
So, I start working on this architecture, and get a working perl prototype down. Now, it's time for the production version. C or C++, my choice. Initially my thoughts go along the routes of multi-threaded incoming connections on port 80 and 443 (SSL) that push data into a scheduled queue and get the results back and send them to the requesting client. This is fine, and I start digging through all of it. I then remember my fondness for the Qt socket classes, and curiosity allows me to find the QServerSocket class. I'm initially thinking it's going to suck... Good thing I was wrong. Sending static data to a web browser gives you shit like this:
Requests per second: 1082.13 [#/sec] (mean)
Time per request: 92.41 [ms] (mean)
Time per request: 0.92 [ms] (mean, across all concurrent requests)
Transfer rate: 97.39 [Kbytes/sec] received
Yeah, Qt, you can have my fucking children.
Go, Qt! (Score:1)
I wonder (Score:2)
If StreamModule [omnifarious.org] had SSL, if that would be a good choice.
Re: (Score:2)
Security (Score:2)
Re:Security (Score:2)
Internal boxes can connect to boxes in the DMZ. DMZ boxes can't connect inside though. We just have our mail server on a partition in the DMZ that only allows incoming connections from the internal->DMZ portal.
If set up correctly this can work very well although it tends to be a bit more complicated than your example. Also be aware this was a internet security appliance company so we did have a bit more in-house expertese than normal and the cost of firewall hardware
Multi-DMZ's (Score:2)
Public DMZ - Web Servers, SMTP gateway, DNS.
Public DMZ rules - All ports closed in and out. Ports opened on request. Inbound ports only allowed to talk to boxes on the Semi-trusted DMZ. (Of course there are some exceptions due to the reality of IT.)
Semi-Trusted DMZ - Application Servers, etc.
Semi-Trusted DMZ rules - All ports to Public DMZ closed. Only opened on request. Most ports from private network closed. Currently things like Telnet, X-Windows, FTP are open (sho